Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


ForumsGeekzoneGeekzone passwords in plain text


167 posts

Master Geek


#56813 24-Jan-2010 21:56
Send private message

I dont know what the deal is but occasionally I see my password in plain text in my url bar, surely displaying this isnt the best or most secure practice for a website of geeks.


See below, it mainly happens when I go to GeekZone for the first time in a while, some sort of redirect takes place putting my user name and password up for whoever happens to be on my computer or glancing over my shoulder.


http://www.geekzone.co.nz/login.asp?submit=login&user_name=patznz&password=XXXXXX&ret_page=%2Fdefault%2Easp%3F


Just a FYI in any case.


Cheers.

View this topic in a long page with up to 500 replies per page Create new topic
 1 | 2
939 posts

Ultimate Geek

Trusted

  #292761 24-Jan-2010 22:15
Send private message

Old news :-P




munchkin | Troll | Author | Artist | Citizen | Friend | Misanthrope

Join us in the Geekzone IRC channel!

 


All information contained in posts made by me shall be treated as PotatoZoo's own personal opinion unless otherwise specified.

 

1598 posts

Uber Geek
Inactive user


  #292767 24-Jan-2010 22:24
Send private message

Why dont they fix it then, they've clearly had more than enough time?
I emailed them about this months ago, and never heard anything back!

 
 
 
 


4386 posts

Uber Geek

Moderator
Trusted
Lifetime subscriber

  #292770 24-Jan-2010 22:27
Send private message

What is the problem here? It is only on your address bar, for a few seconds. And I doubt 99% of people looking over your shoulder will firstly see it, note it down, and then use it.

I would hope that you do not use your password for geekzone, as your same one for internet banking etc.



167 posts

Master Geek


  #292777 24-Jan-2010 22:41
Send private message

No I don't and thats besides the point, but seriously its given in plain text as an argument even when you log on. Might aswell set it to 123abc or qwerty.

6372 posts

Uber Geek

Moderator
Trusted
Lifetime subscriber

  #292782 24-Jan-2010 23:03
Send private message

patznz: No I don't and thats besides the point, but seriously its given in plain text as an argument even when you log on. Might aswell set it to 123abc or qwerty.


The page is only loaded when you click login, so unless someone already knows your password, they are not going to be able to access your account.

Even if the login system was changed from GET to POST, your username/password are still going to be sent unencrypted to the Geekzone server, which can be intercepted in transit.  Then the argument comes up of using SSL (similar to banks) to prevent this.

Seriously, if someone did get into your account, what's the worst they can do?

BDFL - Memuneh
66308 posts

Uber Geek

Administrator
Trusted
Geekzone
Lifetime subscriber

  #292786 24-Jan-2010 23:10
Send private message

codyc1515: Why dont they fix it then, they've clearly had more than enough time?
I emailed them about this months ago, and never heard anything back!



I reply to all emails, and I didn't receive anything.



As for the URL you see, it looks like you bookmarked the login page - check that. It shouldn't "show" on your browser as it is a redirect - unless you bookmark that specific URL.



Search for a recent (last week) discussion called "IP Addresses" and read through it. In short, your password is hashed in our database. It's only unencrypted when doing a submit to our server. The worst thing it could happen is someone use your password to log into another service.



Being a geek I am sure you use a different password for each different service, right?



But, yes, read that discussion.




 

Geekzone broadband switch | Backblaze backup (Geekzone aff) | Amazon (Geekzone aff) | MightyApe (Geekzone aff) | Sharesies (ref code) | My technology disclosure 

637 posts

Ultimate Geek

Trusted

  #292790 24-Jan-2010 23:20
Send private message

rscole86: What is the problem here? It is only on your address bar, for a few seconds. And I doubt 99% of people looking over your shoulder will firstly see it, note it down, and then use it.

I would hope that you do not use your password for geekzone, as your same one for internet banking etc.

There's also a fairly high possibility of it being logged by any proxies or caches in your HTTP path.  If you're browsing over WiFi, the password is also visible to all on that WiFi network.

I am surprised SSL is not used for transmitting credentials - it really is best practice.

 
 
 
 


6372 posts

Uber Geek

Moderator
Trusted
Lifetime subscriber

  #292791 24-Jan-2010 23:44
Send private message

PenultimateHop: I am surprised SSL is not used for transmitting credentials - it really is best practice.


Alittle overkill don't you think for just forums?

930 posts

Ultimate Geek


  #292793 24-Jan-2010 23:45
Send private message

PenultimateHop:
There's also a fairly high possibility of it being logged by any proxies or caches in your HTTP path.  If you're browsing over WiFi, the password is also visible to all on that WiFi network.

I am surprised SSL is not used for transmitting credentials - it really is best practice.


For people who login at their work that's a valid point, depends on the web filter/monitor that the IT department run the URL could show up on the list, having the password show up in the URL is less than ideal. But for public wifi I think it's really up to the user to keep themselves safe, browse through an SSL proxy.

Having every site use SSL for posting data isn't an option as it would then mean that every website would require a unique IP address to be able to support it, the world would run out of IP addresses quicker than it already is.

637 posts

Ultimate Geek

Trusted

  #292808 25-Jan-2010 06:25
Send private message

nate: Alittle overkill don't you think for just forums?

Not in the slightest.  Security is a serious consideration; and anything but best practices encourages complacency.  There are mechanisms out there to permit secure transactions across the Internet, and their usage should be encouraged.

meesham: For people who login at their work that's a valid point, depends on the web filter/monitor that the IT department run the URL could show up on the list, having the password show up in the URL is less than ideal. But for public wifi I think it's really up to the user to keep themselves safe, browse through an SSL proxy.

While I agree that people using public wifi should be keeping themselves safe, again it encourages complacency especially when you could reasonably assume that a technology focused site would be following best practices for securing data.  Of course, you can also reasonably argue that a technology savvy user would be keeping themselves secure or be aware of the risks involved, but frankly if a hammer is available why would you use a spoon?

meesham: Having every site use SSL for posting data isn't an option as it would then mean that every website would require a unique IP address to be able to support it, the world would run out of IP addresses quicker than it already is.

That is a poor excuse and very much a red herring.  SNI (RFC3546) works around that problem, as does using multiple ports for separate SSL virtual hosts, as does having a single generic SSL site for multiple other sites.  Additionally a site like Geekzone is already running on its own IP address.

IPv4 depletion is a real problem, but it is not an excuse for avoiding SSL.

192 posts

Master Geek


  #292822 25-Jan-2010 08:57
Send private message

It doesn't bother me to much either way but you make an excellent point PenultimateHop.

BDFL - Memuneh
66308 posts

Uber Geek

Administrator
Trusted
Geekzone
Lifetime subscriber

#292834 25-Jan-2010 10:20
Send private message

Have you guys read the other discussion as suggested? There are ways around it - we have a SSL cert on Geekzone for about three years now. Can we submit to a SSL login, save a token to the database, return it to the non-SSL session already in progress (or create a new one) with that one token? Yes, we can.

Will that prevent impersionation? No, it won't. Because unless the whole session is encrypted then someone looking over your connection could easily capture the token and still impersonate you.

Yes, I am thinking of a solution, no it won't be something like "or, turn on SSL it's all fixed now".




 

Geekzone broadband switch | Backblaze backup (Geekzone aff) | Amazon (Geekzone aff) | MightyApe (Geekzone aff) | Sharesies (ref code) | My technology disclosure 

488 posts

Ultimate Geek


  #292861 25-Jan-2010 13:17
Send private message

freitasm: Will that prevent impersionation? No, it won't. Because unless the whole session is encrypted then someone looking over your connection could easily capture the token and still impersonate you.


Heard of cookies? Thats exactly what it is supposed to prevent (putting session data in the url etc)
Putting the password or any sensitive data in the url makes it show up in web history which is very very bad in all security books.... (even over ssl)




pɐǝɥ sıɥ uo ƃuıpuɐʇs

8035 posts

Uber Geek

Trusted

  #292870 25-Jan-2010 13:51
Send private message

@freitasm password in the url is worse than only in a cookie because cookies are only sent to the domain they are for by the browser.

3rd party pages/sites/severs can potentially read browsing history including visited urls via various methods (javascript, activex, flash, referrer etc).

BDFL - Memuneh
66308 posts

Uber Geek

Administrator
Trusted
Geekzone
Lifetime subscriber

  #292878 25-Jan-2010 14:16
Send private message

Ragnor, point take. I will modify this later today when back home - remember it's a Wellington holiday here...




 

Geekzone broadband switch | Backblaze backup (Geekzone aff) | Amazon (Geekzone aff) | MightyApe (Geekzone aff) | Sharesies (ref code) | My technology disclosure 

 1 | 2
View this topic in a long page with up to 500 replies per page Create new topic



Twitter and LinkedIn »



Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

Intel introduces 10th Gen Intel Core H-series for mobile devices
Posted 2-Apr-2020 21:09

COVID-19: new charitable initiative to fund remote monitoring for at-risk patients
Posted 2-Apr-2020 11:07

Huawei introduces the P40 Series of Android-based smartphones
Posted 31-Mar-2020 17:03

Samsung Galaxy Z Flip now available for pre-order in New Zealand
Posted 31-Mar-2020 16:39

New online learning platform for kids stuck at home during COVID-19 lockdown
Posted 26-Mar-2020 21:35

New 5G Nokia smartphone unveiled as portfolio expands
Posted 26-Mar-2020 17:11

D-Link ANZ launches wireless AC1200 4G LTE router
Posted 26-Mar-2020 16:32

Ring introduces two new video doorbells and new pre-roll technology
Posted 17-Mar-2020 16:59

OPPO uncovers flagship Find X2 Pro smartphone
Posted 17-Mar-2020 16:54

D-Link COVR-2202 mesh Wi-Fi system now protected by McAfee
Posted 17-Mar-2020 16:00

Spark Sport opens its platform up to all New Zealanders at no charge
Posted 17-Mar-2020 10:04

Spark launches 5G Starter Fund
Posted 8-Mar-2020 19:19

TRENDnet launches high-performance WiFi Mesh Router System
Posted 5-Mar-2020 08:48

Sony boosts full-frame lens line-up with introduction of FE 20mm F1.8 G large-aperture ultra-wide-angle prime Lens
Posted 5-Mar-2020 08:44

Vector and Spark teamed up on smart metering initiative
Posted 5-Mar-2020 08:42


Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Support Geekzone »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron


Updates »

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.