Legacy Filters for "Non-Existent Account" watchers
If I am understanding you correctly this is happening:
A valid member uses a password manager. (as many do)
The password manager input is not registered which makes it a non-existent user.
This will trigger the "Failed Logins: Non-Existent Accounts" watcher.
So this bans valid members with password managers.
If I am understanding you correctly then this banning of valid members can be avoided by not counting the 'user name' to the non-existent accounts watcher.
A valid member uses a password manager. (as many do)
The password manager input is not registered which makes it a non-existent user.
This will trigger the "Failed Logins: Non-Existent Accounts" watcher.
So this bans valid members with password managers.
If I am understanding you correctly then this banning of valid members can be avoided by not counting the 'user name' to the non-existent accounts watcher.
Not exactly, I'll explain.
If you are not logged in, and you receive a full-page "no permissions" screen, on most skins there will now be 2 login forms: The navbar, and the main body of the page.
If you use the login form on the main body of the page, and your password manager does not already have an entry for your site, it will offer to save your username and password. It will correctly read the password you have filled in, but it will use the placeholder text (which is translatable via the vBulletin Phrase system) as the user name.
For English forums, this is "User Name". For multi-lingual forums, this would vary based on the chosen language of the user. This is why it's not feasible to exclude these entries from the Non-Existent Usernames list - the actual wording used would be different based on languages.
The way this would trigger the Watcher in vBSec is if the user does not know about this caveat with their password managers, the subsequently log out and try to login again, trying 5 times using their saved input, never once noticing the password manager is filling out "User Name" instead of their actual username before they click Submit.
In short, it's incredibly rare and requires the user to not pay any form of attention whatsoever.
If you are not logged in, and you receive a full-page "no permissions" screen, on most skins there will now be 2 login forms: The navbar, and the main body of the page.
If you use the login form on the main body of the page, and your password manager does not already have an entry for your site, it will offer to save your username and password. It will correctly read the password you have filled in, but it will use the placeholder text (which is translatable via the vBulletin Phrase system) as the user name.
For English forums, this is "User Name". For multi-lingual forums, this would vary based on the chosen language of the user. This is why it's not feasible to exclude these entries from the Non-Existent Usernames list - the actual wording used would be different based on languages.
The way this would trigger the Watcher in vBSec is if the user does not know about this caveat with their password managers, the subsequently log out and try to login again, trying 5 times using their saved input, never once noticing the password manager is filling out "User Name" instead of their actual username before they click Submit.
In short, it's incredibly rare and requires the user to not pay any form of attention whatsoever.
I see. Its the same in the German and Dutch language packs, as these phrases are not translated,
I have installed vbsec 10 days ago and every day I see a list of login strikes as 'User Name'.
btw: I have found that many users are banned in half the allowed strikes. I assume this is because there are 2 login boxes on some pages?
I have installed vbsec 10 days ago and every day I see a list of login strikes as 'User Name'.
btw: I have found that many users are banned in half the allowed strikes. I assume this is because there are 2 login boxes on some pages?
That wouldn't necessarily apply to every single translation of the forum, though.
What I can look into is the feasibility of setting certain phrases as "excluded", e.g. you could set it so that User Name, Fillip H. and Alfa1 will never be counted against vBSec's strikes. It's a more complicated system though, so it won't be in tomorrow's update.
Depending on how each password managers work, that could very well be it.
This would be useful.
Its not a password manager thing. It happens to users without password manager.
- Status
Similar threads
- Locked
- Suggestion
