Reply
 
Thread Tools Display Modes
 
Old 12-22-2015, 02:28 AM   #1
Senior Member
 
joey2cool's Avatar
 
Join Date: Nov 2009
Location: Pacific Northwest
Posts: 373
Exclamation Forum Log-on Security Request

Is there a future plan to improve our login security with HTTPS? Encryption is the very least I would expect for password entry.

The current forum log-on is using HTTP. Readily available and free sniffer software can be used to see our usernames and passwords in plain text. Not a good thing...
__________________

__________________
2010 Ford E250 5.4L V8 Gas 2WD
SMB Mod RB36 w/PH Prop Stove & Furn Frig 10G Wtr Elect
Silver Bullet
joey2cool is offline   Reply With Quote
Old 12-22-2015, 11:56 AM   #2
Senior Member
 
dhally's Avatar
 
Join Date: Sep 2009
Location: SE Washington
Posts: 772
Garage
Just change your password frequently? And don't use your PayPal password?
__________________

__________________
---------------------
2009 E250 RB 5.4L "SilVan"
dhally is offline   Reply With Quote
Old 12-23-2015, 06:15 PM   #3
Site Team
 
Janet H's Avatar
 
Join Date: May 2015
Location: Pacific NW
Posts: 225
Garage
Quote:
Originally Posted by joey2cool View Post
Is there a future plan to improve our login security with HTTPS? Encryption is the very least I would expect for password entry.

The current forum log-on is using HTTP. Readily available and free sniffer software can be used to see our usernames and passwords in plain text. Not a good thing...
There are currently no plans but it's worth noting that there's no financial info stored here.

Quote:
Originally Posted by dhally View Post
Just change your password frequently? And don't use your PayPal password?
This is good advice. A strong password will include both upper and lower case letters, a couple of numbers and a special character. Example: 4wHeE!z4m3&u
__________________
.
You have brains in your head. You have feet in your shoes.
You can steer yourself any direction you choose. | Dr. Seuss
Janet H is offline   Reply With Quote
Old 12-23-2015, 07:10 PM   #4
Site Team
 
rionapo's Avatar
 
Join Date: Jun 2011
Location: Santa Fe, NM
Posts: 741
Garage
anyone interested in password security might read this:

https://blog.agilebits.com/2011/08/1...-geek-edition/

or, here's the executive summary:
Attached Thumbnails
xkcd-936-password_strength.png  
__________________

The Doghouse: 2012 RB E350 6.8L V-10 4WD
Modified RB 30 w/Front Lockers. PH Top, Kyocera solar and Zamp portable unit
Sire: The Turtle Shell, 1991 Chevy K250 V8 with Lance Squire 11 3/4 cabover
Dam: VannieGone, 1987 VW Westphalia
(If we'd bought the winch, we'd make a fortune pulling cars out of the snow.)
rionapo is offline   Reply With Quote
Old 12-23-2015, 07:31 PM   #5
Senior Member
 
rallypanam's Avatar
 
Join Date: Feb 2013
Location: San Francisco, CA
Posts: 2,631
Garage
All good info, but a very difficult unencrypted login is just as easy to steal as a very easy unencrypted password.
rallypanam is online now   Reply With Quote
Old 12-23-2015, 07:33 PM   #6
Site Team
 
rionapo's Avatar
 
Join Date: Jun 2011
Location: Santa Fe, NM
Posts: 741
Garage
Quote:
Originally Posted by rallypanam View Post
All good info, but a very difficult unencrypted login is just as easy to steal as a very easy unencrypted password.
True. As noted above, don't use your PayPal login for the forum.

-d-
__________________

The Doghouse: 2012 RB E350 6.8L V-10 4WD
Modified RB 30 w/Front Lockers. PH Top, Kyocera solar and Zamp portable unit
Sire: The Turtle Shell, 1991 Chevy K250 V8 with Lance Squire 11 3/4 cabover
Dam: VannieGone, 1987 VW Westphalia
(If we'd bought the winch, we'd make a fortune pulling cars out of the snow.)
rionapo is offline   Reply With Quote
Old 12-24-2015, 10:20 AM   #7
Senior Member
 
joey2cool's Avatar
 
Join Date: Nov 2009
Location: Pacific Northwest
Posts: 373
I think the point is being overlooked. Personal info is being placed on this site. For example, email address, location, birthday, possessions, dates of travel, even real names. This site is a social engineer's garden.

The new User CP alludes to an interest in security. I can't even change my password without providing more personal info now. This site uses graphic image confirmation entry to prevent bot crawler use of the search engine, but cares not for their user resource protectiion.

No password on this site is safe - they are just published in plain site. Changing them does you no good. These accounts can easily be taken over by hackers -users can be impersonated, kept out of their own accounts, and most likely compromised in other ways.

There is no perfect world, and no impenetrable wall, but https on log on and User CP screens would at least give us a fighting chance against hackers. Please put this high on the to do list.
__________________
2010 Ford E250 5.4L V8 Gas 2WD
SMB Mod RB36 w/PH Prop Stove & Furn Frig 10G Wtr Elect
Silver Bullet
joey2cool is offline   Reply With Quote
Old 11-16-2016, 05:22 PM   #8
Senior Member
 
joey2cool's Avatar
 
Join Date: Nov 2009
Location: Pacific Northwest
Posts: 373
Sorry to see no progress made to improve our security yet.

Today, there is no such thing as non-sensitive web traffic. By simply always using HTTPS, both people and browsers can make safer assumptions about secure connections.

If you run a web site, you can make it default to HTTPS for everyone, not just HTTPS Everywhere users. And it's less work! The steps you should take, in order, are:
  1. Set up a redirect from HTTP to HTTPS on your site.
  2. Add the Strict-Transport-Security (HSTS) header on your site.
  3. Add your site to the HSTS Preload list.
HTTPS certificates are 100% free and can be instantly obtained. See https://www.startssl.com/Support?v=1 to secure your web traffic and mail service now.



These steps will give your site much better protection. It's not if, but when this site is compromised. Please give us HTTPS soon!
__________________
2010 Ford E250 5.4L V8 Gas 2WD
SMB Mod RB36 w/PH Prop Stove & Furn Frig 10G Wtr Elect
Silver Bullet
joey2cool is offline   Reply With Quote
Old 11-17-2016, 03:13 PM   #9
Senior Member
 
rallypanam's Avatar
 
Join Date: Feb 2013
Location: San Francisco, CA
Posts: 2,631
Garage
Try PMing the site owners, they rarely if ever respond in threads.

Sportsmobile Forum - View Profile: Andy R
Sportsmobile Forum - View Profile: Tech Admin
Sportsmobile Forum - View Profile: Janet H
rallypanam is online now   Reply With Quote
Old 11-17-2016, 03:23 PM   #10
Senior Member
 
joey2cool's Avatar
 
Join Date: Nov 2009
Location: Pacific Northwest
Posts: 373
Did pm Janet once and a site monitor late but don't recall who now. Janet doesn't think http use poses a threat.

If anyone doubts the seriousness of the http threat they need look no farther than the example at https://nakedsecurity.sophos.com/201...locked-laptop/ for just one way http web sites can drag us all down.
__________________

__________________
2010 Ford E250 5.4L V8 Gas 2WD
SMB Mod RB36 w/PH Prop Stove & Furn Frig 10G Wtr Elect
Silver Bullet
joey2cool is offline   Reply With Quote
Reply

Tags
forum technical support

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off

Powered by vBadvanced CMPS v3.2.3

All times are GMT -6. The time now is 06:07 PM.


Powered by vBulletin® Version 3.8.8 Beta 4
Copyright ©2000 - 2017, vBulletin Solutions, Inc.