|
12-22-2015, 02:28 AM
|
#1
|
Senior Member
Join Date: Nov 2009
Location: Pacific Northwest
Posts: 378
|
Forum Log-on Security Request
Is there a future plan to improve our login security with HTTPS? Encryption is the very least I would expect for password entry.
The current forum log-on is using HTTP. Readily available and free sniffer software can be used to see our usernames and passwords in plain text. Not a good thing...
__________________
2010 Ford E250 5.4L V8 Gas 2WD
SMB Mod RB36 w/PH Prop Stove & Furn Frig 10G Wtr Elect
Silver Bullet
|
|
|
12-22-2015, 11:56 AM
|
#2
|
Senior Member
Join Date: Sep 2009
Location: SE Washington
Posts: 1,044
|
Just change your password frequently? And don't use your PayPal password?
__________________
---------------------
2009 E250 RB 5.4L "SilVan"
|
|
|
12-23-2015, 06:15 PM
|
#3
|
Site Team
Join Date: May 2015
Location: Pacific NW
Posts: 438
|
Quote:
Originally Posted by joey2cool
Is there a future plan to improve our login security with HTTPS? Encryption is the very least I would expect for password entry.
The current forum log-on is using HTTP. Readily available and free sniffer software can be used to see our usernames and passwords in plain text. Not a good thing...
|
There are currently no plans but it's worth noting that there's no financial info stored here.
Quote:
Originally Posted by dhally
Just change your password frequently? And don't use your PayPal password?
|
This is good advice. A strong password will include both upper and lower case letters, a couple of numbers and a special character. Example: 4wHeE!z4m3&u
__________________
.
You have brains in your head. You have feet in your shoes.
You can steer yourself any direction you choose. | Dr. Seuss
|
|
|
12-23-2015, 07:10 PM
|
#4
|
Site Team
Join Date: Jun 2011
Location: Santa Fe, NM
Posts: 1,202
|
anyone interested in password security might read this:
https://blog.agilebits.com/2011/08/1...-geek-edition/
or, here's the executive summary:
__________________
-Don-
Life and baseball both sometimes are not fair, but it is how you play the hops that counts. —Scott Miller, NYT Sports
|
|
|
12-23-2015, 07:31 PM
|
#5
|
Senior Member
Join Date: Feb 2013
Location: San Francisco/Nevada City
Posts: 3,784
|
All good info, but a very difficult unencrypted login is just as easy to steal as a very easy unencrypted password.
|
|
|
12-23-2015, 07:33 PM
|
#6
|
Site Team
Join Date: Jun 2011
Location: Santa Fe, NM
Posts: 1,202
|
Quote:
Originally Posted by rallypanam
All good info, but a very difficult unencrypted login is just as easy to steal as a very easy unencrypted password.
|
True. As noted above, don't use your PayPal login for the forum.
-d-
__________________
-Don-
Life and baseball both sometimes are not fair, but it is how you play the hops that counts. —Scott Miller, NYT Sports
|
|
|
12-24-2015, 10:20 AM
|
#7
|
Senior Member
Join Date: Nov 2009
Location: Pacific Northwest
Posts: 378
|
I think the point is being overlooked. Personal info is being placed on this site. For example, email address, location, birthday, possessions, dates of travel, even real names. This site is a social engineer's garden.
The new User CP alludes to an interest in security. I can't even change my password without providing more personal info now. This site uses graphic image confirmation entry to prevent bot crawler use of the search engine, but cares not for their user resource protectiion.
No password on this site is safe - they are just published in plain site. Changing them does you no good. These accounts can easily be taken over by hackers -users can be impersonated, kept out of their own accounts, and most likely compromised in other ways.
There is no perfect world, and no impenetrable wall, but https on log on and User CP screens would at least give us a fighting chance against hackers. Please put this high on the to do list.
__________________
2010 Ford E250 5.4L V8 Gas 2WD
SMB Mod RB36 w/PH Prop Stove & Furn Frig 10G Wtr Elect
Silver Bullet
|
|
|
11-16-2016, 05:22 PM
|
#8
|
Senior Member
Join Date: Nov 2009
Location: Pacific Northwest
Posts: 378
|
Sorry to see no progress made to improve our security yet.
Today, there is no such thing as non-sensitive web traffic. By simply always using HTTPS, both people and browsers can make safer assumptions about secure connections.
If you run a web site, you can make it default to HTTPS for everyone, not just HTTPS Everywhere users. And it's less work! The steps you should take, in order, are: - Set up a redirect from HTTP to HTTPS on your site.
- Add the Strict-Transport-Security (HSTS) header on your site.
- Add your site to the HSTS Preload list.
HTTPS certificates are 100% free and can be instantly obtained. See https://www.startssl.com/Support?v=1 to secure your web traffic and mail service now.
These steps will give your site much better protection. It's not if, but when this site is compromised. Please give us HTTPS soon!
__________________
2010 Ford E250 5.4L V8 Gas 2WD
SMB Mod RB36 w/PH Prop Stove & Furn Frig 10G Wtr Elect
Silver Bullet
|
|
|
11-17-2016, 03:13 PM
|
#9
|
Senior Member
Join Date: Feb 2013
Location: San Francisco/Nevada City
Posts: 3,784
|
|
|
|
11-17-2016, 03:23 PM
|
#10
|
Senior Member
Join Date: Nov 2009
Location: Pacific Northwest
Posts: 378
|
Did pm Janet once and a site monitor late but don't recall who now. Janet doesn't think http use poses a threat.
If anyone doubts the seriousness of the http threat they need look no farther than the example at https://nakedsecurity.sophos.com/201...locked-laptop/ for just one way http web sites can drag us all down.
__________________
2010 Ford E250 5.4L V8 Gas 2WD
SMB Mod RB36 w/PH Prop Stove & Furn Frig 10G Wtr Elect
Silver Bullet
|
|
|
|
Thread Tools |
|
Display Modes |
Linear Mode
|
Posting Rules
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
HTML code is Off
|
|
|
|
» Recent Threads |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|