Passwords sent in plaintext
Passwords sent in plaintext
I just noticed that when you login, username and passwords are sent as plaintext over the wire, not even encrypted or over SSL. This seems pretty dangerous! Any reason this security risk can't be corrected?
Re: Passwords sent in plaintext
Are you concerned that someone will hack into the board as you and leave a racy message?
I always wanted to be a procrastinator.
Re: Passwords sent in plaintext
As long as you don't reuse passwords, the only side effect of a plaintext login is what Sidney said.
Re: Passwords sent in plaintext
It's not only someone hacking in as me, its basically anyone that can compromise the server, or any hop in between our machines and the server. They can watch the traffic and just collect all passwords.
My major concern is that there are a lot of not so technical people on this forum who would reuse passwords, and the danger is they are all linked to a particular financial institution.
You can argue that the risk is minimal, but I'd argue that the implementation of simple security is minimal and much lower risk than the compromising of every user's password.
My major concern is that there are a lot of not so technical people on this forum who would reuse passwords, and the danger is they are all linked to a particular financial institution.
You can argue that the risk is minimal, but I'd argue that the implementation of simple security is minimal and much lower risk than the compromising of every user's password.
Re: Passwords sent in plaintext
There was a recent conversation about this. Search for it.
- Peculiar_Investor
- Site Admin
- Posts: 2442
- Joined: Thu Oct 20, 2011 12:23 am
- Location: Calgary, AB 🇨🇦
- Contact:
Re: Passwords sent in plaintext
Normal people… believe that if it ain’t broke, don’t fix it. Engineers believe that if it ain’t broke, it doesn’t have enough features yet. – Scott Adams
Re: Passwords sent in plaintext
http://www.bogleheads.org/forum/viewtopic.php?t=85181greg24 wrote:There was a recent conversation about this. Search for it.
While I admire the work and resources that keep this site running, security does not seem to be a priority. Poster beware...
Re: Passwords sent in plaintext
A good reminder to not reuse passwords. Though phpBB hashes passwords (I think salted MD5), there's no way of knowing what certain sites do. Always assume that any password you use can be seen plaintext by, at best, the site admins, and at worst, any hackers that may compromise the site or you connection thereto.
Re: Passwords sent in plaintext
I think it's OK to reuse passwords on sites where your security is unimportant like this one.
But don't do it on sites where your security is important.
But don't do it on sites where your security is important.