And storing it with reversible encryption is nearly just as bad, and I hope that's what is being done as a minimum currently in order to even make this possible.
My old account was GMan, and I've been meaning to switch to this new one for some time. Having just done so, upon registration my username and password were sent to me in plain text in an email. This is a huge security no-no.
Can we not do this? Perhaps switch to something like OpenId so the site doesn't even have to be in the business of handling passwords, which is notoriously easy to mess up.
Thanks! Even better, perhaps we could retire phpBB, which is now bit-rotten and out of date. A more modern alternative like http://www.discourse.org/ would be swell.
And storing it with reversible encryption is nearly just as bad, and I hope that's what is being done as a minimum currently in order to even make this possible.
It is not stored with reversible encryption (but it is still quite weak).
NicholasGorski wrote:
Can we not do this? Perhaps switch to something like OpenId so the site doesn't even have to be in the business of handling passwords, which is notoriously easy to mess up.
The password handling in web is just messed up in general. There is very large difference between state-of-the-art with passwords and the best that can be done on web...
And everything else seems to be just DOA, thanks to web browser usability issues.
Oh, and this isn't the only part in web security that is total clusterfuck...
NicholasGorski wrote:
Thanks! Even better, perhaps we could retire phpBB, which is now bit-rotten and out of date.
Yeah, getting rid of phpBB is a long-term TODO. Unfortunately, the site code is quite a mess of interdependencies on both Wiki and forum sides...
Yeah, hackers are really interested in your password to this site.
if he is using the same password everywhere, this site can become a key to his bank account...
That's his own fault then for stupid interneting
not to be offienssive, but that's the case for like 90% of the peoples i know
working in the IT, i know that the first reaction you get about changing password is "ow must i really do it ? they are so hard to remember"
there is even a XKCD for this :
One ok idea is to use two passwords - one for financial services and emails you link to such services, one for stuff where it doesn't matter if the account is broken into, or if you suspect the security is bad enough it might get leaked.
One ok idea is to use two passwords - one for financial services and emails you link to such services, one for stuff where it doesn't matter if the account is broken into, or if you suspect the security is bad enough it might get leaked.
Better to use password manager and multiple passwords (perhaps with a password shared with stuff you really don't care about).
On the original issue of the site having his plaintext password you're missing the obvious: your complaint is the site has your plaintext password at the moment of registration. Duh! You literally just provided it.
not to be offienssive, but that's the case for like 90% of the peoples i know
If he's savvy enough to understand what plaintext transmission of information is and when it's happening, and why it poses a security risk for login information, he ought to also understand why it's a bad idea to use the same password for important and less important websites.
I wouldn't like it if someone hacked my tasvideos.org account and started posting goat porn or spam, and I would not mind if the login was encrypted, but I do not consider it a very high priority issue either.
not to be offienssive, but that's the case for like 90% of the peoples i know
If he's savvy enough to understand what plaintext transmission of information is and when it's happening, and why it poses a security risk for login information, he ought to also understand why it's a bad idea to use the same password for important and less important websites.
I wouldn't like it if someone hacked my tasvideos.org account and started posting goat porn or spam, and I would not mind if the login was encrypted, but I do not consider it a very high priority issue either.
The entire web is broken when you consider that confidential information is sent via email (e.g. password resets). This allows anyone to just sniff the information and use it to reset the password, encrypted or not.
We really need that secure email right now...
The entire web is broken when you consider that confidential information is sent via email (e.g. password resets). This allows anyone to just sniff the information and use it to reset the password, encrypted or not.
We really need that secure email right now...
On the original issue of the site having his plaintext password you're missing the obvious: your complaint is the site has your plaintext password at the moment of registration. Duh! You literally just provided it.
Email is not a secure protocol. Sending passwords or any other valuable information over email is inherently a bad idea. Hence the comment a couple of posts above mine about needing "secure email".
Pyrel - an open-source rewrite of the Angband roguelike game in Python.
Hey guys, I found out that if you write down your password here, it is automatically censored:
*********
Amazing!
Dumb jokes aside, usability and security are always at odds with eachother. My advice is to just excercise common sense and not to use throwaway passwords (much less the same ones) in more sensitive websites than this one. Above all else, don't just give the password out yourself.
Considering that your password is sent completely unencrypted every time you log in, emails really are the least of your problems.
On this site, yes, but that's not the case on most sites.
But yes, you are right, it's only part of the problem. Yet, it IS a necessary parameter in the equation.
security is voided the moment you connect to the internet,
you can't "network" without sharing and you can't corretly share with too much security....
your computer is not secured if it can be physicaly accessed by somebody else,
your internet connection is not secured if someone can put a black hole on your node
your passwords are not secured if there is a failsafe system
the failsafe system is not secured because it is meant to be a hole in the security
nothing is safe from ducks.
ducks are ducks from ducks.
ducks ducks ducks ducks ducks.
morality : ducks can hack your computers.
No, I don't use the same password everywhere, though that doesn't really mean plain text handling of a password is okay. (And some people, for worse, do. I don't think it's fair to them to say "you shouldn't have to care the site is insecure" and not care if the site is insecure.)
While I agree hacking tasvideos is probably low on the totem pole, the reason I brought it up is that the perceived quality of site is certainly lessened by the issue, and I would like to help out by just making sure the issue was known. I now know it is and that the site administrators just haven't had the time for it, which is perfectly valid.
(As for why I changed my name anyway, I've been using "GMan" in some variation or another as my moniker for almost 17 years, and it's grown tired to me to the point of being annoying.)
why didn't you simply message an admin to change the username for you,
i think it's possible ? (as double accounts are forbiden, it should be ? riiighht ? )
as for the site security, until it gets fixed, try to think of it as ridding a bike...
it's fun, but it's safer to walk...
especialy when ducks are involved
