*****URGENT PASSWORDS NOT SAFE*****

[Foh]

Hi,

I'm a computer science student who happens to be into retro bikes. I noticed this forum is sending passwords in plaintext form over the internet. Basically, anyone with basic tools can easily see your passwords whenever you log in.

I have attached a screenshot with an example showing this transmission. Where it says "key: password" that is a label then "value:ThisIsThePasswordBox" is what I typed in the password box, I typed "ThisIsThePasswordBox".

You may think this isn't an issue as it's not too important if someone knows your password for this forum, however if you use the same password for this as you do other account, such as Facebook or Amazon it can become a very big issue. I also expect that this forum is open to SQL Injections, a form of attack where the user can gain access to data from the websites database however confirming this would break the law.

This needs to be addressed so that the passwords of users on this forum aren't stolen

Foh

 

[dyna-ti]

The entire website isnt secure and the management dont seem too bothered about that, despite it being raised numerous times. In fact this is the only place i use that isnt secure and the lack of concern bothers me a fair bit.

So much so im thinking of calling it a day.

I dont use the same pass across the web, that would be nuts,but it might be the case for some and the lack of concern is really just a slap in the face for them.
The site has generated income over the years its been in operation, so the very least they could make it secure.

 

[john]

It will be addressed soon.

This is discussed endlessly.

Please post here > viewtopic.php?f=8&t=392797

 

[Foh]

It will be addressed soon.

This is discussed endlessly.

Please post here > viewtopic.php?f=8&t=392797

Are passwords even hashed before storage? Look into implementing bcrypt.

Whoever does the backend stuff, you want to hash the inputted password locally, then send that hash to the database server. Then instead of storing passwords in plaintext, store the hash of each password. That way to authenticate the user you compare the hash they've sent with the hash stored. This both means that if the database is breached all the passwords are safe and if someone is listening in on traffic, they'll only see the hashed password, which is useless to them.

In the nicest possible way, I know you're not a huge company with endless budget and staff, but saying "This is discussed endlessly" really just isn't good enough, especially when you consider the demographic of this forum is likely quite old and could potentially therefore use the same passwords for multiple websites.

 

[john]

OK, thanks for input, planned move to updated / new forum solution should ease your concern, as per previous post.

This is good feedback and all but do think if you want to assist best way is via email, not splashing all over the forum. Will lock this for now and remove any information which could be used by nefarious individuals.