Forums

It's also a valid point as in what type of developers will be attracted. The simple fact that it's owned by a business which hasn't done a stellar job so far isn't exactly enticing. What if they do get some damn good code contributions and then decide to close it off to external developers again? Those will be points prospective contributors consider, and in all honesty, with Informer's track record, I doubt any quality coders would associate with that project.

In what way?

Cheers Franz.

Change this line:

            $output .= '<div class="block">'."\n".'<h2><span><a href="'.$pun_config['o_base_url'].'/viewtopic.php?id='.$cur_topic['id'].'&amp;action=new" title="'.pun_htmlspecialchars($cur_topic['subject']).'">'.pun_htmlspecialchars($subject_truncated).'</a> - '.gmdate('l, F d, Y', $cur_topic['posted']).'</span></h2>'."\n\t";

to:

            $output .= '<div class="block">'."\n".'<h2><span><a href="'.$pun_config['o_base_url'].'/viewtopic.php?id='.$cur_topic['id'].'&amp;action=new" title="'.pun_htmlspecialchars($cur_topic['subject']).'">'.pun_htmlspecialchars($subject_truncated).'</a> - '.format_time($cur_topic['posted']).'</span></h2>'."\n\t";

How much of that traffic converts to actual registering users and not just momentary traffic though? Every single thing I've read and heard so far points to social networking been practically useless with regards to generating registered users. It will merely generate a temporary traffic upsurge at best.

If you think that creating false positives which then have to be allowed is a good way to proceed, I suggest you give up now before you go any further. There will always be *some* false positives with any method, (say an I.P address has been blocked legitimately as being used by a spamming user which then becomes assigned to another, legitimate, user later down the line), but those should be rarities rather than commonplace. No system should ever work on the assumption that incorrect rejections are a reasonable casualty.

Simply put, clueless admins may suffer shite for a while, but anyone who is worth their salt as an admin wouldn't touch a half-arsed system like that no matter what.

Yeah, the avatar is a bit misleading. I'm definitely no Yank. It's more along the lines of a (dis)merit badge. It still amuses me no end though, hence why I keep it. Same with the sig line.

Words did fail me a bit on that one, I'll admit. It was the only thing that popped into my head.

Wasn't overly sure of what techniques they use for doing it, in all honesty. Never actually spent too much time checking the cracking side of the equation, with never having had need to do it.

I may have worded it weirdly. I was referring to the fact that only the encryption of the password is secure. Everything else is still like using planks around an iron gate. Also, on the password encryption point, the fact that running a dictionary or common password type testing system on the acquired passwords would probably yield a good proportion of the passwords in far less time than it would take to crack the passwords encryption has also to be considered. As well as people using same passwords for multiple sites, a good proportion are also very predictable in their general choices of passwords. Names, birthdays, LOTR characters etc.

Browser caching, possibly. CTRL+F5 to force a refresh.

Wrong only in relation to the security/strength of the password itself.

I'm not saying there's no point. I'm merely asking what is the point? Upto just, bragging rights about how secure the password hashing is is the only thing I can see.

You are correct. They are two very different things. You're missing the point though. Take the machine account left unlocked whilst user absent scenario. If some other user has access to that machine, do you honestly think the forum login/account is going to be either the malicious users, (or later on down the line the valid users), main concern? Interesting concept.

Your concern is to protect the board, not to try and protect a user from their own stupidity. You will always fail on the latter score.

But again, it's going to help how? I can just see the admin sending out the newsletter to users for that one.

Seriously, forgive my lack of enthusiasm regarding your point here, but I can honestly see no point.

So the unauthorised user at the compromised machine couldn't just keep booting the legit user offline then, each time they try logging in? Do you also not think that sending a password reminder to the user might be possible if someone is at that persons machine and they know their login username? After all, their e-mail client is probably on that machine too. Or, are you suggesting that you should make a user also enter their password before they can receive a password renewal link for the password which they have forgotten? Also, I suppose that the automatic password storage/entry jobbies that most browsers have would suddenly not work with that ancillary password prompt, if it had been told to always login automatically?

Edit: Just to mention the point I'm trying to make, and which I forgot to mention, you're over-engineering. If there's a rock solid reason for implementing something in a certain fashion, fine, but implementing severly excessive password hashing just for the sake of it is pointless. Unless you're encrypting any and all information within the DB and making it so that no one part of that content is any less easily compromised, there's really no point. If it's just for bragging rights then by all means, but I'd personally suggest keeping the functionality realistic. You're thinking too much like designers and not engineers, IMHO.