![]() |
| ||
|
Author | Message | [bottom] |
Starchaser member, 531 posts GMT+0 Http://thesummoninggrid.t Tue 26 Feb 2019 at 07:15 |
I've returned here after being away for a year. Consequently I'd forgotten my password so I used the forgot password link. I received an email with my old password in it in plain text. This leads me to the conclusion that either you are storing user passwords in plain text or that you are using two-way encryption. You might want to consider changing this to make use of a one-way hashing algorythm. I'd reccommend bcrypt or scrypt. Obviously you would also need to change the lost password system to generate a uid to send to the user as part of a reset password link but I believe this would be a more secure method than the one you are currently using. | |||
Ergoemos member, 30 posts Wed 3 Apr 2019 at 16:06 |
Seconding as a user of this website. This seems really irresponsible given the number of users on this website, including minors. | |||
Starchaser member, 575 posts GMT+0 http://bit.ly/2NvdzWG Wed 3 Apr 2019 at 16:14 |
| |||
Escribblings member, 23 posts Thu 4 Apr 2019 at 20:26 |
| |||
Starchaser member, 579 posts GMT+0 http://bit.ly/2NvdzWG Fri 5 Apr 2019 at 10:36 |
The latest reccomendation is that all websites make use of SSL but there is a cost factor involved in doing this, which is probably why this site doesn't use it. My issue was more around how the passwords were being stored rather than how they were being transmitted. | |||
Skald moderator, 842 posts Whatever it is, I'm against it Fri 5 Apr 2019 at 12:07 |
And my understanding is that RPoL passwords are encrypted when stored ... but you'll have to wait till jase has a free second to pronounce definitively on that. | |||
Starchaser member, 581 posts GMT+0 http://bit.ly/2NvdzWG Fri 5 Apr 2019 at 17:50 |
Got it! | |||
jase admin, 3614 posts Cogito, ergo procuro. Carpe stultus! Tue 4 Jun 2019 at 09:40 |
Nginx (the web server) should be redirecting www.rpol.net and rpol.net to https but clearly not. Didn't even notice as I'm always in https. Will check the config. Naughty certbot. | |||
Gapperjack member, 281 posts World traveller Film enthusiast Fri 22 Nov 2019 at 09:25 |
Also not criticising the site — it's fantastic, have been using it happily for years. I've just noticed the same thing — an email sent to me with my password in open text. The site does appear to be using SSL now, though. Are there any plans to change the password mechanisms along any of the following lines?
I appreciate that you're working on this in your free time and that we're not really keeping sensitive information here, so while the risk of a breach is high, the impact is likely to be negligible. Thanks! |
[top] |