Forums > General > Forum Security Issue

FORUM SECURITY ISSUE
Previous | 12 | Next

Obviously, we're aware of the crap that means occasionally people get to post as other people (presumably some cookie related weirdness) but I've just stumbled across the fact that when you log in to the forum, your password is sent across the internet in plain text.

Make sure your password is unique to this forum and change it regularly as I hold out zero hope that anything will be done about it.

:roll:

Updated November 19, 2012 at 10:29 AM

--

What's the difference between a BMW and a hedgehog?

Is there any way of using this to access the spambots' accounts...?

Thanks for the heads up. Are the folks at Evo Towers aware of the issue?

--

Tree Trunks, I'm all jacked up because of you. Look at my jacked up face!

Jobbo said...

Is there any way of using this to access the spambots' accounts...?

Theoretically. It makes a man in the middle attack much easier. My concern is more if someone manages to sit on a users wi-fi connection (ridiculously easy to do even if security is set up "right") and people tend to use the same password for various sites (bad practice, don't do it!), you're potentially giving you're passwords away.

Mind you, given the approach to security on this forum, I doubt it would be that hard to gain access directly to the user db anyway.

--

What's the difference between a BMW and a hedgehog?

I don't remember the last time I had to type my password on here anyway; is this something which happens just when you log in, or every time you open the site when it shows you as logged in?

I'll tell you in a sec.

--

What's the difference between a BMW and a hedgehog?

It stores your authentication in a cookie so you don't need to resend it. So it's only an issue when you actually log in.

--

What's the difference between a BMW and a hedgehog?

Interesting. My email and Twitter accounts (which used the same password as here) were hacked a few months ago. Have since changed passwords on those but I should probably get a unique one for here if that's the case.

How do I change my evo password [/noob]

Edit: My Profile - General Profile - Password: change password

Updated November 19, 2012 at 11:01 AM

--

Entirely pointless

I'm annoyed at myself for not spotting it earlier. I'd assumed they'd made that section secure even though the rest of the page wasn't.

Someone needs to tell them it ain't 1997 any more and this isn't acceptable.

I've emailed Stephen Dobie and Harry.

--

What's the difference between a BMW and a hedgehog?


Thanks - it explains something, why I could not log in to my EVO account, and had to do a password reset.

I know exactly who and when it was hacked!

EDIT:


Wouldn't forcing the forum to use HTTPS mean that it should then be encrypted end-to-end?

Updated November 19, 2012 at 12:49 PM

It's pretty common on normal websites to have no SSL certificate, even when there's a login area with a password.

I guarantee for most of you that this isn't the only site you frequent with this problem...

ilmostro said...

Wouldn't forcing the forum to use HTTPS mean that it should then be encrypted end-to-end?

Yes. And in fact evo DOES have SSL (https). Just change the url to https instead of http and it works. There's a plugin called everywherehttps that you can get for firefox/chrome etc - not sure if evo is listed in it already, but I'm sure you can add it as a new rule of your own if you want.

_ said...

It's pretty common on normal websites to have no SSL certificate, even when there's a login area with a password.

I guarantee for most of you that this isn't the only site you frequent with this problem...

It's probably the only commercial one, that I can think of, though.

--

What's the difference between a BMW and a hedgehog?

_ said...

ilmostro said...

Wouldn't forcing the forum to use HTTPS mean that it should then be encrypted end-to-end?

Yes. And in fact evo DOES have SSL (https). Just change the url to https instead of http and it works. There's a plugin called everywherehttps that you can get for firefox/chrome etc - not sure if evo is listed in it already, but I'm sure you can add it as a new rule of your own if you want.

Well, that just makes it worse.

--

What's the difference between a BMW and a hedgehog?

Been using separate passwords since September since I use BT openzone for my uni accommodation so it must be really easy to hack but I don't mind as it's free.

--

Making pancake mix for your mums pancake tits.

I have accessed Maurice's Amazon account using his password from here.
He now has an order of 1690 rubber dog cocks heading his way.

--

How are you doing? Is you good becos' I want to know.

_CC_ said...

I have accessed Maurice's Amazon account using his password from here.
He now has an order of 1690 rubber dog cocks heading his way.

He's going to be pissed off when he finds out you reduced his order!

--

What's the difference between a BMW and a hedgehog?

NotoriousREV said...

_CC_ said...

I have accessed Maurice's Amazon account using his password from here.
He now has an order of 1690 rubber dog cocks heading his way.

He's going to be pissed off when he finds out you reduced his order!

:lol:

I didn't know they sold them on Amazon. I've got some vouchers here...

--

Knackered old hairdresser's sh1tter

We should all use different passwords for different sites, and as hard as you might think it is to do this and remember them it doesn't have to be that hard. Here's an idea i like for people with bad memory

You might for example have a base password of

ThisIsMYBasePassword

then add something to the begining or ending of it to make it more site specific. You might, for example chose to put the number of letters in the page name as your ending EVO = 3 letters = 3. Leaving you with...

ThisIsMYBasePassword3
OR
ThisIs3MYBasePassword

etc

Substitute with whatever works for you.

Maybe number of consonants at the front, vowels at the back?

ie

1ThisIsMYBasePassword2

As with many times in life, there is an xkcd to help us.

Updated November 19, 2012 at 4:31 PM

Previous | 12 | Next

Jump to forum: Go

Please contact the webmaster if you have any problems or queries relating to this forum.

MEMBER LOGIN

|
Connect
Company Website | Media Information | Contact Us | Privacy Notice | Subs Info | Affiliate Programme
Our Other Websites: The Week | Auto Express | Custom PC | IT Pro | MacUser | Men's Fitness | Micro Mart | PC Pro | bit-tech | Know Your Mobile | Octane | Expert Reviews | Channel Pro | Know Your Cell | Know Your Mobile India | Digital SLR Photography | Den of Geek | Magazines | Computer Shopper | Mobile Phone Deals | Competitions | Cyclist | Health & Fitness | CarBuyer | Cloud Pro | MagBooks | Mobile Test | Land Rover Monthly | Webuser | Computer Active | Table Pouncer | Viva Celular