Forum Log-on Security Request

[joey2cool]

Is there a future plan to improve our login security with HTTPS? Encryption is the very least I would expect for password entry.

The current forum log-on is using HTTP. Readily available and free sniffer software can be used to see our usernames and passwords in plain text. Not a good thing...

[dhally]

Just change your password frequently? And don't use your PayPal password?

[Janet H]

Quote:

Originally Posted by joey2cool

Is there a future plan to improve our login security with HTTPS? Encryption is the very least I would expect for password entry.

The current forum log-on is using HTTP. Readily available and free sniffer software can be used to see our usernames and passwords in plain text. Not a good thing...

There are currently no plans but it's worth noting that there's no financial info stored here.

Quote:

Originally Posted by dhally

Just change your password frequently? And don't use your PayPal password?

This is good advice. A strong password will include both upper and lower case letters, a couple of numbers and a special character. Example: 4wHeE!z4m3&u

[rionapo]

anyone interested in password security might read this:

https://blog.agilebits.com/2011/08/1...-geek-edition/

or, here's the executive summary:

[rallypanam]

All good info, but a very difficult unencrypted login is just as easy to steal as a very easy unencrypted password.

[rionapo]

Quote:

Originally Posted by rallypanam

All good info, but a very difficult unencrypted login is just as easy to steal as a very easy unencrypted password.

True. As noted above, don't use your PayPal login for the forum.

-d-

[joey2cool]

I think the point is being overlooked. Personal info is being placed on this site. For example, email address, location, birthday, possessions, dates of travel, even real names. This site is a social engineer's garden.

The new User CP alludes to an interest in security. I can't even change my password without providing more personal info now. This site uses graphic image confirmation entry to prevent bot crawler use of the search engine, but cares not for their user resource protectiion.

No password on this site is safe - they are just published in plain site. Changing them does you no good. These accounts can easily be taken over by hackers -users can be impersonated, kept out of their own accounts, and most likely compromised in other ways.

There is no perfect world, and no impenetrable wall, but https on log on and User CP screens would at least give us a fighting chance against hackers. Please put this high on the to do list.

[joey2cool]

Sorry to see no progress made to improve our security yet.

Today, there is no such thing as non-sensitive web traffic. By simply always using HTTPS, both people and browsers can make safer assumptions about secure connections.

If you run a web site, you can make it default to HTTPS for everyone, not just HTTPS Everywhere users. And it's less work! The steps you should take, in order, are:

1. Set up a redirect from HTTP to HTTPS on your site.
2. Add the Strict-Transport-Security (HSTS) header on your site.
3. Add your site to the HSTS Preload list.

HTTPS certificates are 100% free and can be instantly obtained. See https://www.startssl.com/Support?v=1 to secure your web traffic and mail service now.



These steps will give your site much better protection. It's not if, but when this site is compromised. Please give us HTTPS soon!

[rallypanam]

Try PMing the site owners, they rarely if ever respond in threads.

Sportsmobile Forum - View Profile: Andy R
Sportsmobile Forum - View Profile: Tech Admin
Sportsmobile Forum - View Profile: Janet H

[joey2cool]

Did pm Janet once and a site monitor late but don't recall who now. Janet doesn't think http use poses a threat.

If anyone doubts the seriousness of the http threat they need look no farther than the example at https://nakedsecurity.sophos.com/201...locked-laptop/ for just one way http web sites can drag us all down.