Passwords sent in plaintext

Discussions about the forum and contents
Post Reply
Olav2
Posts: 309
Joined: Fri May 25, 2007 4:25 pm

Passwords sent in plaintext

Post by Olav2 » Tue Dec 13, 2011 1:35 am

I just noticed that when you login, username and passwords are sent as plaintext over the wire, not even encrypted or over SSL. This seems pretty dangerous! Any reason this security risk can't be corrected?

Sidney
Posts: 6694
Joined: Thu Mar 08, 2007 6:06 pm

Re: Passwords sent in plaintext

Post by Sidney » Tue Dec 13, 2011 2:02 am

Are you concerned that someone will hack into the board as you and leave a racy message?
I always wanted to be a procrastinator.

Mudpuppy
Posts: 5889
Joined: Sat Aug 27, 2011 2:26 am
Location: Sunny California

Re: Passwords sent in plaintext

Post by Mudpuppy » Tue Dec 13, 2011 3:01 am

As long as you don't reuse passwords, the only side effect of a plaintext login is what Sidney said.

Olav2
Posts: 309
Joined: Fri May 25, 2007 4:25 pm

Re: Passwords sent in plaintext

Post by Olav2 » Tue Dec 13, 2011 10:37 am

It's not only someone hacking in as me, its basically anyone that can compromise the server, or any hop in between our machines and the server. They can watch the traffic and just collect all passwords.

My major concern is that there are a lot of not so technical people on this forum who would reuse passwords, and the danger is they are all linked to a particular financial institution.

You can argue that the risk is minimal, but I'd argue that the implementation of simple security is minimal and much lower risk than the compromising of every user's password.

User avatar
greg24
Posts: 3268
Joined: Tue Feb 20, 2007 10:34 am

Re: Passwords sent in plaintext

Post by greg24 » Tue Dec 13, 2011 10:38 am

There was a recent conversation about this. Search for it.

User avatar
Peculiar_Investor
Posts: 1130
Joined: Thu Oct 20, 2011 12:23 am
Location: Calgary, AB
Contact:

Re: Passwords sent in plaintext

Post by Peculiar_Investor » Tue Dec 13, 2011 10:52 am

Normal people… believe that if it ain’t broke, don’t fix it. Engineers believe that if it ain’t broke, it doesn’t have enough features yet. – Scott Adams

User avatar
mas
Posts: 1461
Joined: Tue Feb 20, 2007 12:54 pm

Re: Passwords sent in plaintext

Post by mas » Tue Dec 13, 2011 10:54 am

greg24 wrote:There was a recent conversation about this. Search for it.
http://www.bogleheads.org/forum/viewtopic.php?t=85181

While I admire the work and resources that keep this site running, security does not seem to be a priority. Poster beware...

brianH
Posts: 174
Joined: Wed Aug 12, 2009 12:21 pm

Re: Passwords sent in plaintext

Post by brianH » Tue Dec 13, 2011 11:06 am

A good reminder to not reuse passwords. Though phpBB hashes passwords (I think salted MD5), there's no way of knowing what certain sites do. Always assume that any password you use can be seen plaintext by, at best, the site admins, and at worst, any hackers that may compromise the site or you connection thereto.

User avatar
tadamsmar
Posts: 7823
Joined: Mon May 07, 2007 12:33 pm

Re: Passwords sent in plaintext

Post by tadamsmar » Tue Dec 13, 2011 12:12 pm

I think it's OK to reuse passwords on sites where your security is unimportant like this one.

But don't do it on sites where your security is important.

Post Reply