Main Area and Open Discussion > Living Room
Use a unique password for this site
db90h:
BTW, I have converted my entire SMF based forum to SSL, FWIW... Doesn't have the mods yours has, but...
EDIT: Oh, ok, if it hashes the passwords on the client side, that helps ;)
db90h:
.delme. this post. or thread. I wasn't attacking you guys, but please, be reasonable, and acknowledge it as an issue that needs addressing sooner or later.
Deozaan:
@Deozaan: That is not the default address, unless maybe you use that HTTPEverywhere extension.
It defaults to HTTP.
So sorry to have brought this up. It's legit though.
-db90h (March 06, 2015, 11:43 PM)
--- End quote ---
I still don't get what the big deal is, or why you're freaking out about it. It's pretty obvious that you're not going to have an encrypted connection if you don't use https.
It's a discussion board. It's not your bank account.
db90h:
I still don't get what the big deal is, or why you're freaking out about it. It's pretty obvious that you're not going to have an encrypted connection if you don't use https.
-Deozaan (March 06, 2015, 11:48 PM)
--- End quote ---
Logins where credentials are supplied are presumed to at least have SSL encryption by industry standard.
I'm not freaking out.
If SMF hashes the password on the client side before sending it unencrypted, then you're not bad off.
But if you don't understand what I was concerned about, then you aren't trying very hard ;). Not everyone even knows what HTTPS is.
mwb1100:
Not that anyone probably cares, but here's my basic website password security scheme:
- sites that I deem important/sensitive, such as my banking sites, paypal, work, etc. get unique, strong passwords
- sites that I consider to not be highly sensitive, ie., I won't lose money if someone gets into my account, such as DC, or cracked.com, or whatever, gets a password that's mostly the same as every other similarly non-sensitive website. I do change the starting letter of the password to match the site's domain name - that gives these passwords some very small measure of uniqueness.
This works well for me because I don't have to work at all to remember most website passwords. Of course, I'd rather those accounts not get hacked, but I won't be seriously hurt if they do so I don't feel I have to put a lot of effort into password security for them. However, those passwords are still generally different enough from one another that if one site gets hacked and a list of userids & passwords gets into the hands of hackers (such as with the Adobe breech), those hackers won't get into *all* of my website accounts. And the few that they might get a match on will be more or less worthless to them - at least as far as bringing any kind of harm to me. Getting one of those passwords does nothing to help them get a password for any of the sites I consider sensitive.
The key is that the "common" password I use has a mix of letters, letter case, numbers, a punctuation character, and a length that's long enough, but not too long.
This lets that password get through nearly every 'password strength requirement' filter out there, but still fits constraints that some sites have. It probably doesn't happen too often anymore, but in the past I have come across web sites that don't allow password to be longer then 8 characters or don't allow characters like quotes or slashes. So my common, base password doesn't violate those rules. But it's still complex enough to make most sites happy.
Anyway, that's how I deal with password management.
Irritating password constraints trivia: I recall one website that wanted passwords to be no shorter than 6 characters, but no longer than 8 characters - what???
Navigation
[0] Message Index
[#] Next page
[*] Previous page
Go to full version