Starchaser
member, 531 posts
GMT+0
Http://thesummoninggrid.t
Tue 26 Feb 2019
at 07:15 | Site passwordsHi.
I've returned here after being away for a year. Consequently I'd forgotten my password so I used the forgot password link. I received an email with my old password in it in plain text. This leads me to the conclusion that either you are storing user passwords in plain text or that you are using two-way encryption. You might want to consider changing this to make use of a one-way hashing algorythm. I'd reccommend bcrypt or scrypt. Obviously you would also need to change the lost password system to generate a uid to send to the user as part of a reset password link but I believe this would be a more secure method than the one you are currently using.
|
Ergoemos
member, 30 posts
Wed 3 Apr 2019
at 16:06 | Site passwordsIn reply to Starchaser (msg # 1):
Seconding as a user of this website. This seems really irresponsible given the number of users on this website, including minors.
|
Starchaser
member, 575 posts
GMT+0
http://bit.ly/2NvdzWG
Wed 3 Apr 2019
at 16:14 | Site passwordsI should say though, that I am in no way criticizing the site itself. You guys are doing a great job.
|
Escribblings
member, 23 posts
Thu 4 Apr 2019
at 20:26 | Site passwordsI've had a browser warn me that my password on here was unencrypted.
|
Starchaser
member, 579 posts
GMT+0
http://bit.ly/2NvdzWG
Fri 5 Apr 2019
at 10:36 | Site passwordsWell that's probably because the site is not configured to use SSL encryption (you would know if it was because the address bar would start with https:// and there would be a padlock icon).
The latest reccomendation is that all websites make use of SSL but there is a cost factor involved in doing this, which is probably why this site doesn't use it.
My issue was more around how the passwords were being stored rather than how they were being transmitted.
|
Skald
moderator, 842 posts
Whatever it is,
I'm against it
Fri 5 Apr 2019
at 12:07 | Site passwordsYou probably should be using the https://rpol.net/ link. :>
And my understanding is that RPoL passwords are encrypted when stored ... but you'll have to wait till jase has a free second to pronounce definitively on that.
|
Starchaser
member, 581 posts
GMT+0
http://bit.ly/2NvdzWG
Fri 5 Apr 2019
at 17:50 | Site passwordsAh so no IIS url rewrite or .htaccess redirect?
Got it!
|
jase
admin, 3614 posts
Cogito, ergo procuro.
Carpe stultus!
Tue 4 Jun 2019
at 09:40 | Site passwordsAlas yes they're reversible encryption at the moment, I'll be changing that at some stage but my master code structure is halfway (third.. quarter way maybe) to the responsive layout so it's hard to make changes to the background code/functionality without uploading said half-baked responsive layout. So I'm a bit stuck. Something I wanted to do years ago but this responsive thing is taking forever (doesn't help I don't have much free time these days!).
Nginx (the web server) should be redirecting www.rpol.net and rpol.net to https but clearly not. Didn't even notice as I'm always in https. Will check the config. Naughty certbot.
|
Gapperjack
member, 281 posts
World traveller
Film enthusiast
Fri 22 Nov 2019
at 09:25 | Site passwordsIn reply to jase (msg # 8):
Also not criticising the site — it's fantastic, have been using it happily for years.
I've just noticed the same thing — an email sent to me with my password in open text. The site does appear to be using SSL now, though.
Are there any plans to change the password mechanisms along any of the following lines?
- Stop sending the password in the confirmation email — just acknowledge the change
- Implement multi-factor authentication (MFA)
- Email secure password reset link rather than password
I appreciate that you're working on this in your free time and that we're not really keeping sensitive information here, so while the risk of a breach is high, the impact is likely to be negligible.
Thanks!
|
admin post