Passwords sent in plaintext

Discussions about the forum and contents
Post Reply
Topic Author
Olav2
Posts: 312
Joined: Fri May 25, 2007 4:25 pm

Passwords sent in plaintext

Post by Olav2 »

I just noticed that when you login, username and passwords are sent as plaintext over the wire, not even encrypted or over SSL. This seems pretty dangerous! Any reason this security risk can't be corrected?
Sidney
Posts: 6784
Joined: Thu Mar 08, 2007 5:06 pm

Re: Passwords sent in plaintext

Post by Sidney »

Are you concerned that someone will hack into the board as you and leave a racy message?
I always wanted to be a procrastinator.
Mudpuppy
Posts: 7409
Joined: Sat Aug 27, 2011 2:26 am
Location: Sunny California

Re: Passwords sent in plaintext

Post by Mudpuppy »

As long as you don't reuse passwords, the only side effect of a plaintext login is what Sidney said.
Topic Author
Olav2
Posts: 312
Joined: Fri May 25, 2007 4:25 pm

Re: Passwords sent in plaintext

Post by Olav2 »

It's not only someone hacking in as me, its basically anyone that can compromise the server, or any hop in between our machines and the server. They can watch the traffic and just collect all passwords.

My major concern is that there are a lot of not so technical people on this forum who would reuse passwords, and the danger is they are all linked to a particular financial institution.

You can argue that the risk is minimal, but I'd argue that the implementation of simple security is minimal and much lower risk than the compromising of every user's password.
User avatar
greg24
Posts: 4511
Joined: Tue Feb 20, 2007 9:34 am

Re: Passwords sent in plaintext

Post by greg24 »

There was a recent conversation about this. Search for it.
User avatar
Peculiar_Investor
Site Admin
Posts: 2442
Joined: Thu Oct 20, 2011 12:23 am
Location: Calgary, AB 🇨🇦
Contact:

Re: Passwords sent in plaintext

Post by Peculiar_Investor »

Normal people… believe that if it ain’t broke, don’t fix it. Engineers believe that if it ain’t broke, it doesn’t have enough features yet. – Scott Adams
User avatar
mas
Posts: 1511
Joined: Tue Feb 20, 2007 11:54 am

Re: Passwords sent in plaintext

Post by mas »

greg24 wrote:There was a recent conversation about this. Search for it.
http://www.bogleheads.org/forum/viewtopic.php?t=85181

While I admire the work and resources that keep this site running, security does not seem to be a priority. Poster beware...
brianH
Posts: 666
Joined: Wed Aug 12, 2009 12:21 pm

Re: Passwords sent in plaintext

Post by brianH »

A good reminder to not reuse passwords. Though phpBB hashes passwords (I think salted MD5), there's no way of knowing what certain sites do. Always assume that any password you use can be seen plaintext by, at best, the site admins, and at worst, any hackers that may compromise the site or you connection thereto.
User avatar
tadamsmar
Posts: 9972
Joined: Mon May 07, 2007 12:33 pm

Re: Passwords sent in plaintext

Post by tadamsmar »

I think it's OK to reuse passwords on sites where your security is unimportant like this one.

But don't do it on sites where your security is important.
Post Reply