Use a unique password for this site

[db90h]

If you logout or open an ingognito tab, you may notice the login prompt in the upper left.

What you don't see is any SSL encryption.

EDIT: Since SMF hashes on the client side using javascript, you're fine, though of course all your information is still sent to the server plaintext.

[db90h]

Gosh, I hated to be the one to notice and report this, but how could I not?

It's no biggie, so long as your password here is not used anywhere else, which is standard procedures.

Still, I prefer 100% SSL on *all* pages. I took this bold experiment myself. It was bold because Google treats you as a new domain and the CPU overhead can increase. My results were fine, as were Google's when they did the same to all their servers a while back.

[mouser]

SSL or not -- EVERY website you use, you need to use a unique password, so that if one site gets hacked, the bad guys don't learn your logins to other sites.

[db90h]

Well, that's true, in part, but since one would HOPE that any modern server would store their passwords in hashed format, not plaintext. The purpose of the hash, as you know, is to prevent it from being reversed back to it's plaintext. Thus, if they get breached, they get no passwords.

Still, it is best practices to use different passwords, for other reasons, not that one in particular.

Please don't get defensive about this, you can delete this thread, I won't mention it again. Very sorry. Trying to help, came out wrong I guess. Wanted people to realize.

[db90h]

Recommend you issue a statement explaining the situation (you know it in detail) and recommended guidance. Stay ahead of it. No breach happened. No damage known to be done.

EDIT: Man, I hate i mentioned this, I am just so SSL aware right now, I couldn't help it -- especially since i just had to change a bunch of passwords, because it's hard, in practice, to use a unique password on *every* site. I reserve unique ones for mission critical sites.

[db90h]

Oh I feel like shit, why did I have to reveal that...

I just want to support you, please understand that. This could have come back to bite you much harder. Oh well. You are not blameless, it's your server. Keep it as secure as you want, I'll just remember no SSL here

[db90h]

If I could delete this topic, I would.. so am requesting you do .. for your privacy while you fix it.

[mouser]

Deep breaths !
There's nothing to get freaked out about -- most people don't use SSL for donationcoder or any other forum login, and don't need to.
I'll look into the SSL login issue you've mentioned, but there's no need to panic.
And again the main important thing that everyone should remember, for general security, is to use different passwords on different websites -- and if you're having trouble remembering them, use a password manager.

ps.
smf forum login uses javascript to hash passwords before its submitted to the login page, even over non-ssl.

[Deozaan]

I have no idea what you're talking about. I see the connection is encrypted when I visit this page:

https://www.donation....com/forum/index.php

Make sure you're visiting the https site, and not just http.

Though, because I'm not using https myself, it is stripping the S from the https when I paste the link... Which I think means it will be there for anyone else who is using https.

[db90h]

@Deozaan: That is not the default address, unless maybe you use that HTTPEverywhere extension.

It defaults to HTTP.

So sorry to have brought this up. It's legit though.

[db90h]

BTW, I have converted my entire SMF based forum to SSL, FWIW...  Doesn't have the mods yours has, but...

EDIT: Oh, ok, if it hashes the passwords on the client side, that helps

[db90h]

.delme. this post. or thread. I wasn't attacking you guys, but please, be reasonable, and acknowledge it as an issue that needs addressing sooner or later.

[Deozaan]

@Deozaan: That is not the default address, unless maybe you use that HTTPEverywhere extension.

It defaults to HTTP.

So sorry to have brought this up. It's legit though.

-db90h (March 06, 2015, 11:43 PM)

I still don't get what the big deal is, or why you're freaking out about it. It's pretty obvious that you're not going to have an encrypted connection if you don't use https.

It's a discussion board. It's not your bank account.

[db90h]

I still don't get what the big deal is, or why you're freaking out about it. It's pretty obvious that you're not going to have an encrypted connection if you don't use https.

-Deozaan (March 06, 2015, 11:48 PM)

Logins where credentials are supplied are presumed to at least have SSL encryption by industry standard.

I'm not freaking out.

If SMF hashes the password on the client side before sending it unencrypted, then you're not bad off.

But if you don't understand what I was concerned about, then you aren't trying very hard . Not everyone even knows what HTTPS is.

[mwb1100]

Not that anyone probably cares, but here's my basic website password security scheme:

  - sites that I deem important/sensitive, such as my banking sites, paypal, work, etc. get unique, strong passwords
  - sites that I consider to not be highly sensitive, ie., I won't lose money if someone gets into my account, such as DC, or cracked.com, or whatever, gets a password that's mostly the same as every other similarly non-sensitive website.  I do change the starting letter of the password to match the site's domain name - that gives these passwords some very small measure of uniqueness.

This works well for me because I don't have to work at all to remember most website passwords.  Of course, I'd rather those accounts not get hacked, but I won't be seriously hurt if they do so I don't feel I have to put a lot of effort into password security for them.  However, those passwords are still generally different enough from one another that if one site gets hacked and a list of userids & passwords gets into the hands of hackers (such as with the Adobe breech), those hackers won't get into *all* of my website accounts.  And the few that they might get a match on will be more or less worthless to them - at least as far as bringing any kind of harm to me.  Getting one of those passwords does nothing to help them get a password for any of the sites I consider sensitive.

The key is that the "common" password I use has a mix of letters, letter case, numbers, a punctuation character, and a length that's long enough, but not too long.

This lets that password get through nearly every 'password strength requirement' filter out there, but still fits constraints that some sites have.  It probably doesn't happen too often anymore, but in the past I have come across web sites that don't allow password to be longer then 8 characters or don't allow characters like quotes or slashes.  So my common, base password doesn't violate those rules.  But it's still complex enough to make most sites happy.

Anyway, that's how I deal with password management.

Irritating password constraints trivia: I recall one website that wanted passwords to be no shorter than 6 characters, but no longer than 8 characters - what???

[Renegade]

SSL or not -- EVERY website you use, you need to use a unique password, so that if one site gets hacked, the bad guys don't learn your logins to other sites.

-mouser (March 06, 2015, 11:10 PM)

^ THIS!

I had one account compromised. It used a password that I used on 1 other site. Just 1 other site. 1.

Now, either the other site was malicious, or it was hacked as the site the compromised account was on knew that some accounts had been compromised, while others were not.

So, you can imagine how that all goes and how the hackers try brute forcing sites with known account IDs/passwords.

[db90h]

Still I prefer SSL, LOL.

The idea of everything I type, even drafts, going straight to any server plaintexxt... Well, it bothers me.

DC is fine here since SMF is designed to operate w/o SSL by hashing the password on the client side. They don't use SSL on their own site.

However, it's not 'fine' as to where are in society today, so it's just something to think about as the site is refactored someday.

[mouser]

Well, that's true, in part, but since one would HOPE that any modern server would store their passwords in hashed format, not plaintext. The purpose of the hash, as you know, is to prevent it from being reversed back to it's plaintext. Thus, if they get breached, they get no passwords.

That's a good point -- if a server is hacked and the server properly stored password hashes, your password is not instantly known.  However, with a list of password hashes, many passwords can be figured out.
Even if a hacked server wouldn't instantly expose your password -- let's remember that the hacked server, if not discovered immediately, could have new scripts run on it that would harvest passwords when you provide them to it.

Bottom line -- don't use the same password on different sites.  Use a password manager tool to help you create a nice long unique password for each site.

Personally I think SSL use on everything is overkill -- I prefer a more pragmatic approach: Never provide financial information on a connection that is not SSL -- but on simple non-critical website logins, I don't give it a second thought.  SSL is provided on DonationCoder using https (at non-trivial effort and expense I might add) as a courtesy to those who view it as important (even if I think it's overkill for most users).

[ps. i've removed the caps "WARNING" line from the subject of this thread since i think it would lead to confusion]

[db90h]

Yea, rainbow tables are the term you are looking for . They are, again, hopefully, neutralized by appropriately salting the hashed password.

Certainly your operation is safe and warning caps removed in good reason.

A single password manager introduces a single point of failure, but is otherwise good advice.

The entirety of web traffic will be encrypted in time, whether it be via HTTP 5 or simple prudence.

[Stoic Joker]

The entirety of web traffic will be encrypted in time, whether it be via HTTP 5 or simple prudence.

-db90h (March 07, 2015, 11:37 AM)

Why? It's a total waste processor time and effort, because privacy - as it is commonly understood - is currently and for the foreseeable future a complete myth. Sure as mouser stated above for banking and finance it is best to keep up the ruse and try to limit the number of bad people that wish to nose around in the affairs of others. But if the encryption that is to be used is not capable of keeping out all of the "bad people"...then it's really just a silly waste of time.

[db90h]

Yea, that's why I send my mail on post cards.

It's a simple security thing. Easier to secure everything than cherry-pick. That's all.

Surely certain portions will be broken as necessary, man-in-the-middle attacks from a legit CA, etc.. the NSA will always have their ways.

But security isn't about 'criminals', it's about online safety and privacy, especially for those who live in countries where their political affiliation this year could cost them their life the next.

[rgdot]

Credit card numbers and passwords need to be one time things that are set up, requested, delivered to you via secondary protected apps. Something like this exists via few banks/credit card issuers but needs to be expanded in a big comprehensive way. Sort of 2FA on steroids.

[Stoic Joker]

But security isn't about 'criminals', it's about online safety and privacy, especially for those who live in countries where their political affiliation this year could cost them their life the next.

-db90h (March 07, 2015, 05:00 PM)

...And that's my point. If you can't keep the alphabet soup crowd out - and you can't - then the entire exorcise becomes pointless.

[Renegade]

Please allow me to emphasise this a bit more because @db90h has brought up some really, very important security issues:

Yea, rainbow tables are the term you are looking for .

-db90h (March 07, 2015, 11:37 AM)

For those not familiar, a rainbow table is a list of hash values for strings (passwords). So, if your password is hashed, the attacker just looks it up in a rainbow table in, oh, like, it's done now, so, next. It's a very powerful attack.

They are, again, hopefully, neutralized by appropriately salting the hashed password.

-db90h (March 07, 2015, 11:37 AM)

For those not familiar with a salt, salts are just strings that are added to passwords before they are hashed. The resulting hash value is different than the simple password hash. As such, rainbow tables are useless.

Now, if a single salt is used, a rainbow table can be created for that specific site/salt. And, if individual salts are used, the site itself needs to be compromised (with a database dump or something similar in effect).

tl;dr - If you don't already understand what a rainbow table is, do look into it because it's a critical point in password security.

@db90h - Good call in pointing those out. (And the other bits as well.)

[Renegade]

But security isn't about 'criminals', it's about online safety and privacy, especially for those who live in countries where their political affiliation this year could cost them their life the next.

-db90h (March 07, 2015, 05:00 PM)

...And that's my point. If you can't keep the alphabet soup crowd out - and you can't - then the entire exorcise becomes pointless.

-Stoic Joker (March 07, 2015, 10:06 PM)

Not entirely pointless. Just pointless if they're interested in you or they make a mistake.


BTW - Does anyone have any worries about 2FA?