Welcome to our forums! Please take a few moments to read through our Community Guidelines (also conveniently linked in the header at the top of each page). There, you'll find guidelines on conduct, tips on getting the help you may be searching for, and more!

Dislike: Forum user & Plex-user are tied together :-( - why?

higekohigeko Posts: 133Members, Plex Pass Plex Pass

I don't understand why the forum user has to be tied to the Plex web username. What are the reasons for this?

We really don't like, that one half of our log-in to our user-account and server is readable to everyone and ready for brute force attacks.
Of course we have safe password-manager-created passwords but we really would prefer to keep these credentials divided somehow and every part of our log-in more private.
Or at least - as it has been in the old forum - it's up to me, if I like to keep it the same.

There have been hacked accounts in the past so Plexers found themselves streaming to people/IPs they didn't invite by using exactly this way.

Are there plans to change that again?

Welcome back of course. Thank you for your work!!! :-)

Best Answer

«1

Answers

  • udo.christudo.christ Posts: 396Members, Plex Pass Plex Pass

    Then the login name should not be shown publicly in the forum since this is half of the authorization..

  • zorglub2000zorglub2000 Posts: 177Members, Plex Pass Plex Pass

    I agree we should be able to choose a different username for the forum ! Sad to have lost my username :/

  • justme1968justme1968 Posts: 281Members, Plex Pass Plex Pass

    even worse: since i had not set a plex user name the forum did display my e-mail adress everywhere as a user name.

  • LuxferroLuxferro Posts: 284Members, Plex Pass Plex Pass
    edited July 2015

    +1

    I want to be able to display a different forum name, and not let people know 1/2 my login credentials. Please change this, or give us 2 factor auth.

    edit: also let us delete our posts... now my email address is stuck here, even though my username is changed to not my email..

    edit2: also let us report posts.. can't even report my own post to have it removed...

    edit3: fixed my post so it's not my email by going here: https://forums.plex.tv/sso

  • Magnus33Magnus33 Posts: 236Members ✭✭

    The concept is proven but they avoid handing out have the user sing-in info which is what your doing.

    That's not what i would call improving security but its easy to fix and something that you should do quickly.

  • _Rogue_Rogue Posts: 57Members, Plex Pass Plex Pass

    Agreed! I want my server to use my real name and the forum to use my online handle. Login should be email only. Also being able to change the name of users that show in Plex Home would be useful.

  • AnEightiesGuyAnEightiesGuy Posts: 249Members, Plex Pass Plex Pass

    @_Rogue said:
    Agreed! I want my server to use my real name and the forum to use my online handle. Login should be email only. Also being able to change the name of users that show in Plex Home would be useful.

    Agreed. I think switching login to just email would reduce the issue, as we wouldn't be giving away half of our login just by being present on the forum.

  • Jean GionetJean Gionet Posts: 114Members, Plex Pass Plex Pass
    edited July 2015

    I really don't like this either.. I had to change my UserName just so I can keep my name private.. but now my NickName is now my name everywhere I use Plex with my family... There should be a PLEX account Name and a Forum name/nickname at least..

  • elanelan CTO and Co-founder MauiPosts: 9,317Members, Plex Employee, Plex Pass, Plex Ninja Plex Employee

    I get your concerns; we've implemented (and have been improving as we go) countermeasures against such brute-force attacks against accounts. After all, we aspire to something better than security through (username) obscurity.

    Given the fact that the users on the forums are tied tightly to Plex users in terms of Plex Pass and such, I think it would be confusing to allow people to pick their own forum names which were totally different than Plex usernames. Imagine if "Dylan" wants to be known as "Bob" and then bob comes along and has to pick Bob2 or something.

    We are continuing to discuss this internally, and let's keep chatting until we figure out something which works for everything :)

    edit3: fixed my post so it's not my email by going here: https://forums.plex.tv/sso

    We're fixing this so such edits are "live".

  • Jean GionetJean Gionet Posts: 114Members, Plex Pass Plex Pass

    I don't mind if the accounts are the same everywhere. I just rather keep my real name private on forums. Having an alias/handle on the forums would work for me! :)

  • elanelan CTO and Co-founder MauiPosts: 9,317Members, Plex Employee, Plex Pass, Plex Ninja Plex Employee

    I just rather keep my real name private on forums

    But just to be clear, your real name isn't "Cylac", right?

  • Jean GionetJean Gionet Posts: 114Members, Plex Pass Plex Pass
    edited July 2015

    @elan said:
    But just to be clear, your real name isn't "Cylac", right?

    lol right! It's my nickname/handle/login on most forums and services.
    I just want to be able to display my real name to my family members using my Plex server. (I'm sure I'll hear from my wife and kids tonight asking me WTH is Cylac? lol)

    edit: my login name WAS my REAL NAME until I changed it to Cylac today since I saw my real name showing up on these forums.

  • Jean GionetJean Gionet Posts: 114Members, Plex Pass Plex Pass

    @elan said:
    Ah, gotcha, that makes sense. We've been talking about extending the "friendly name" to others besides managed users, since it sucks to see your wife/husband as Bob42 or whatever when they should just be Bob.

    you got it! Thanks for considering this option! I'm sure the entire Plex Forum community would appreciate it! ;)

  • sdjmesdjme Posts: 662Members, Plex Pass Plex Pass

    Just wanted to mention that I too was affected by this change of linking the forum account with my Plex/PlexPass account. My Plex account name was my last name, which then suddenly became the name for all of my Plex forum posts. My forum name is now associated with a non-Plex account. So really my old forum identity is gone forever. I know you can't please everyone, but it is a shame.

  • MikeG6.5MikeG6.5 Posts: 2,344Members, Plex Pass Plex Pass

    This is irony on irony, actually....

    Some of us changed our Forum user name to be different than our Plex account name, to minimize the potential of someone hacking our systems.

    Finally get the security issues we have clamored for a couple of years resolved, and within a short time frame the forum gets hacked, with user forum names and passwords potentially at risk, so we are prompted to change our passwords.

    New forums come online and we are back to using our Plex account names for forum logins... AND can't change them to something else on our own.... :(

    Please, Elan, you HAVE to change this. Already, the forums have been hacked. I know we're using different software on the forums now, but lightening has a tendency to strike twice regardless of what the weathermen say.... If the hacker had the gumption to hack these forums once, that means he has an interest in the software, however macabre it might be...

  • elanelan CTO and Co-founder MauiPosts: 9,317Members, Plex Employee, Plex Pass, Plex Ninja Plex Employee

    @MikeG6.5 ~ I think Alanis Morissette might agree with you.

    Again, just to be clear, I don't think there is meaningful security behind hiding your forum name. Also, as I've stated, we have countermeasures in place to prevent people from brute-forcing your accounts, because these forums aren't the only place where usernames and emails might be obtained.

    (Also, the vast majority (like > 99%) of users had usernames which matched between Plex and the forums. So this is not a massive change.)

    All that having been said, we are discussing internally, to see if there might be something else we can do on this front.

  • haertighaertig Posts: 438Members ✭✭✭
    edited July 2015

    I hope that the PLEX team hires on some permanent security experts, if they haven't done so alrady. I think PLEX is a very sophisticated and advanced media server. I love it! However, and I don't say this to be argumentative, but I also think PLEX is a security nightmare.

    Any time you run a server on your system, you better be dang sure that server is secure. There was a problem with PLEX, somewhere around version 0.9.9.3 (?), at least the Linux version, that opened up your system. And now we have the forum hack, which may well be the fault of the forum software, but the fact that we were immediately forced to change our passwords makes me think the rabbit hole goes much deeper than has been reported/discussed. It was great that the Plex team jumped on this immediately and informed users, but it is still worrisome that they HAD to. Now we have a new SSO security model. All of this is good and necessary stuff, no complaints about that. But it does tend to point to hit-or-miss security, at least up to this point in time. I am too paranoid to allow any third party to control authentication and access to my system (i.e., a Plex account). I set up VPN to control my own remote access, but that's a different topic and probably one that is beyond the abilities of the typical PMS user. I am still concerned that PMS reaches out and updates software on my system on it's own (are these called "bundles"?) So I run PMS on a system that does not contain any other sensitive or critical information. I am thinking of constraining it even further, and running it in a virtual machine.

    My point in saying all this is, the way remote access into Plex is setup with 3rd party control, means that you REALLY have to trust that 3rd party. There have been a couple of letdowns on that trust over time. I will of course continue to use Plex, but will hedge my bets on security by keeping as much under my personal control as I possibly can. It leaves a bit of a bad taste in my mouth that now we are being told that Plex accounts and forum accounts should use the same name (userid, or whatever you want to call it). And the reason seems to be, "Because WE know what's good for you". That only works if you can have absolute 100% trust in WE.

    Note: I expect to get some negative comments stating that I'm not a Plex Pass member, and thus have no right to complain. My answer to that would be, "I don't run pre-release pre-beta software as a server on my system". That would put me in an even worse security predicament.

  • elanelan CTO and Co-founder MauiPosts: 9,317Members, Plex Employee, Plex Pass, Plex Ninja Plex Employee

    Note: I expect to get some negative comments stating that I'm not a Plex Pass member, and thus have no right to complain

    You have every right to complain :)

    There was a problem with PLEX, somewhere around version 0.9.9.3 (?), at least the Linux version, that opened up your system

    Honestly not sure what you're referring to here. But that version is ancient, and I'm sure ancient software had a number of issues, and I'm sure if it was a serious security issue, it was quickly fixed.

    but the fact that we were immediately forced to change our passwords makes me think the rabbit hole goes much deeper than has been reported/discussed

    This is hyperbole. Let me explain again exactly why we did this: The attacker gained access to hashed passwords and salts from the forum database. In order to prevent them from being able to log into Plex after "reversing" those hashes, we took the immediate proactive measure of resetting passwords.

    There is no rabbit hole.

    So I run PMS on a system that does not contain any other sensitive or critical information. I am thinking of constraining it even further, and running it in a virtual machine

    That would be a smart move with any server. Compartmentalization is definitely nice, and much easier with things like Docker.

    And the reason seems to be, "Because WE know what's good for you"

    That's definitely not the reason. The old forums had fairly flaky linkage to Plex services, due to the fact that people had different emails, usernames, etc. This new SSO solution is much more robust, doesn't store any credentials (hashed or others) on the forums server, and has strong linkage between accounts on the two systems. During the import/transfer, we analyzed the mapping and found that over 99% of people had identical usernames, and decided to clean the rest of up and make it a stronger mapping, especially since it could lead to weird situations if future Plex users chose usernames which matched custom Plex forum names (if they were different).

    I'll end by repeating what I already said above: we are discussing internally, to see if there might be something else we can do on this front for those people who are violently opposed to exposing their usernames.

«1
Sign In or Register to comment.