Starchaser
 member, 531 posts
 GMT+0
 Http://thesummoninggrid.t
Tue 26 Feb 2019
at 07:15
Site passwords
Hi.

I've returned here after being away for a year. Consequently I'd forgotten my password so I used the forgot password link. I received an email with my old password in it in plain text. This leads me to the conclusion that either you are storing user passwords in plain text or that you are using two-way encryption. You might want to consider changing this to make use of a one-way hashing algorythm. I'd reccommend bcrypt or scrypt. Obviously you would also need to change the lost password system to generate a uid to send to the user as part of a reset password link but I believe this would be a more secure method than the one you are currently using.
Ergoemos
 member, 30 posts
Wed 3 Apr 2019
at 16:06
Site passwords
In reply to Starchaser (msg # 1):

Seconding as a user of this website. This seems really irresponsible given the number of users on this website, including minors.
Starchaser
 member, 575 posts
 GMT+0
 http://bit.ly/2NvdzWG
Wed 3 Apr 2019
at 16:14
Site passwords
I should say though, that I am in no way criticizing the site itself. You guys are doing a great job.
Escribblings
 member, 23 posts
Thu 4 Apr 2019
at 20:26
Site passwords
I've had a browser warn me that my password on here was unencrypted.
Starchaser
 member, 579 posts
 GMT+0
 http://bit.ly/2NvdzWG
Fri 5 Apr 2019
at 10:36
Site passwords
Well that's probably because the site is not configured to use SSL encryption (you would know if it was because the address bar would start with https:// and there would be a padlock icon).

The latest reccomendation is that all websites make use of SSL but there is a cost factor involved in doing this, which is probably why this site doesn't use it.

My issue was more around how the passwords were being stored rather than how they were being transmitted.
Skald
 moderator, 842 posts
 Whatever it is,
 I'm against it
Fri 5 Apr 2019
at 12:07
Site passwords
You probably should be using the https://rpol.net/ link.   :>

And my understanding is that RPoL passwords are encrypted when stored ... but you'll have to wait till jase has a free second to pronounce definitively on that.
Starchaser
 member, 581 posts
 GMT+0
 http://bit.ly/2NvdzWG
Fri 5 Apr 2019
at 17:50
Site passwords
Ah so no IIS url rewrite or .htaccess redirect?

Got it!
jase
 admin, 3614 posts
 Cogito, ergo procuro.
 Carpe stultus!
Tue 4 Jun 2019
at 09:40
Site passwords
Alas yes they're reversible encryption at the moment, I'll be changing that at some stage but my master code structure is halfway (third.. quarter way maybe) to the responsive layout so it's hard to make changes to the background code/functionality without uploading said half-baked responsive layout.  So I'm a bit stuck.  Something I wanted to do years ago but this responsive thing is taking forever (doesn't help I don't have much free time these days!).

Nginx (the web server) should be redirecting www.rpol.net and rpol.net to https but clearly not.  Didn't even notice as I'm always in https.  Will check the config.  Naughty certbot.
Gapperjack
 member, 281 posts
 World traveller
 Film enthusiast
Fri 22 Nov 2019
at 09:25
Site passwords
In reply to jase (msg # 8):

Also not criticising the site it's fantastic, have been using it happily for years.

I've just noticed the same thing an email sent to me with my password in open text. The site does appear to be using SSL now, though.

Are there any plans to change the password mechanisms along any of the following lines?

  • Stop sending the password in the confirmation email just acknowledge the change
  • Implement multi-factor authentication (MFA)
  • Email secure password reset link rather than password


I appreciate that you're working on this in your free time and that we're not really keeping sensitive information here, so while the risk of a breach is high, the impact is likely to be negligible.

Thanks!