Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


nzpat

167 posts

Master Geek


#56813 24-Jan-2010 21:56
Send private message

I dont know what the deal is but occasionally I see my password in plain text in my url bar, surely displaying this isnt the best or most secure practice for a website of geeks.


See below, it mainly happens when I go to GeekZone for the first time in a while, some sort of redirect takes place putting my user name and password up for whoever happens to be on my computer or glancing over my shoulder.


http://www.geekzone.co.nz/login.asp?submit=login&user_name=patznz&password=XXXXXX&ret_page=%2Fdefault%2Easp%3F


Just a FYI in any case.


Cheers.

View this topic in a long page with up to 500 replies per page Create new topic
 1 | 2
munchkin
939 posts

Ultimate Geek

Trusted

  #292761 24-Jan-2010 22:15
Send private message

Old news :-P



codyc1515
1598 posts

Uber Geek
Inactive user


  #292767 24-Jan-2010 22:24
Send private message

Why dont they fix it then, they've clearly had more than enough time?
I emailed them about this months ago, and never heard anything back!

rscole86
4973 posts

Uber Geek

Moderator
Trusted
Lifetime subscriber

  #292770 24-Jan-2010 22:27
Send private message

What is the problem here? It is only on your address bar, for a few seconds. And I doubt 99% of people looking over your shoulder will firstly see it, note it down, and then use it.

I would hope that you do not use your password for geekzone, as your same one for internet banking etc.



nzpat

167 posts

Master Geek


  #292777 24-Jan-2010 22:41
Send private message

No I don't and thats besides the point, but seriously its given in plain text as an argument even when you log on. Might aswell set it to 123abc or qwerty.

nate
6473 posts

Uber Geek

Retired Mod
Trusted
Lifetime subscriber

  #292782 24-Jan-2010 23:03
Send private message

patznz: No I don't and thats besides the point, but seriously its given in plain text as an argument even when you log on. Might aswell set it to 123abc or qwerty.


The page is only loaded when you click login, so unless someone already knows your password, they are not going to be able to access your account.

Even if the login system was changed from GET to POST, your username/password are still going to be sent unencrypted to the Geekzone server, which can be intercepted in transit.  Then the argument comes up of using SSL (similar to banks) to prevent this.

Seriously, if someone did get into your account, what's the worst they can do?

freitasm
BDFL - Memuneh
79254 posts

Uber Geek

Administrator
ID Verified
Trusted
Geekzone
Lifetime subscriber

  #292786 24-Jan-2010 23:10
Send private message

codyc1515: Why dont they fix it then, they've clearly had more than enough time?
I emailed them about this months ago, and never heard anything back!



I reply to all emails, and I didn't receive anything.



As for the URL you see, it looks like you bookmarked the login page - check that. It shouldn't "show" on your browser as it is a redirect - unless you bookmark that specific URL.



Search for a recent (last week) discussion called "IP Addresses" and read through it. In short, your password is hashed in our database. It's only unencrypted when doing a submit to our server. The worst thing it could happen is someone use your password to log into another service.



Being a geek I am sure you use a different password for each different service, right?



But, yes, read that discussion.






Please support Geekzone by subscribing, or using one of our referral links: Samsung | AliExpress | Wise | Sharesies | Hatch | GoodSyncBackblaze backup


PenultimateHop
637 posts

Ultimate Geek

Trusted

  #292790 24-Jan-2010 23:20
Send private message

rscole86: What is the problem here? It is only on your address bar, for a few seconds. And I doubt 99% of people looking over your shoulder will firstly see it, note it down, and then use it.

I would hope that you do not use your password for geekzone, as your same one for internet banking etc.

There's also a fairly high possibility of it being logged by any proxies or caches in your HTTP path.  If you're browsing over WiFi, the password is also visible to all on that WiFi network.

I am surprised SSL is not used for transmitting credentials - it really is best practice.

 
 
 

Cloud spending continues to surge globally, but most organisations haven’t made the changes necessary to maximise the value and cost-efficiency benefits of their cloud investments. Download the whitepaper From Overspend to Advantage now.
nate
6473 posts

Uber Geek

Retired Mod
Trusted
Lifetime subscriber

  #292791 24-Jan-2010 23:44
Send private message

PenultimateHop: I am surprised SSL is not used for transmitting credentials - it really is best practice.


Alittle overkill don't you think for just forums?

meesham
973 posts

Ultimate Geek


  #292793 24-Jan-2010 23:45
Send private message

PenultimateHop:
There's also a fairly high possibility of it being logged by any proxies or caches in your HTTP path.  If you're browsing over WiFi, the password is also visible to all on that WiFi network.

I am surprised SSL is not used for transmitting credentials - it really is best practice.


For people who login at their work that's a valid point, depends on the web filter/monitor that the IT department run the URL could show up on the list, having the password show up in the URL is less than ideal. But for public wifi I think it's really up to the user to keep themselves safe, browse through an SSL proxy.

Having every site use SSL for posting data isn't an option as it would then mean that every website would require a unique IP address to be able to support it, the world would run out of IP addresses quicker than it already is.

PenultimateHop
637 posts

Ultimate Geek

Trusted

  #292808 25-Jan-2010 06:25
Send private message

nate: Alittle overkill don't you think for just forums?

Not in the slightest.  Security is a serious consideration; and anything but best practices encourages complacency.  There are mechanisms out there to permit secure transactions across the Internet, and their usage should be encouraged.

meesham: For people who login at their work that's a valid point, depends on the web filter/monitor that the IT department run the URL could show up on the list, having the password show up in the URL is less than ideal. But for public wifi I think it's really up to the user to keep themselves safe, browse through an SSL proxy.

While I agree that people using public wifi should be keeping themselves safe, again it encourages complacency especially when you could reasonably assume that a technology focused site would be following best practices for securing data.  Of course, you can also reasonably argue that a technology savvy user would be keeping themselves secure or be aware of the risks involved, but frankly if a hammer is available why would you use a spoon?

meesham: Having every site use SSL for posting data isn't an option as it would then mean that every website would require a unique IP address to be able to support it, the world would run out of IP addresses quicker than it already is.

That is a poor excuse and very much a red herring.  SNI (RFC3546) works around that problem, as does using multiple ports for separate SSL virtual hosts, as does having a single generic SSL site for multiple other sites.  Additionally a site like Geekzone is already running on its own IP address.

IPv4 depletion is a real problem, but it is not an excuse for avoiding SSL.

rattewisday
203 posts

Master Geek


  #292822 25-Jan-2010 08:57
Send private message

It doesn't bother me to much either way but you make an excellent point PenultimateHop.

freitasm
BDFL - Memuneh
79254 posts

Uber Geek

Administrator
ID Verified
Trusted
Geekzone
Lifetime subscriber

#292834 25-Jan-2010 10:20
Send private message

Have you guys read the other discussion as suggested? There are ways around it - we have a SSL cert on Geekzone for about three years now. Can we submit to a SSL login, save a token to the database, return it to the non-SSL session already in progress (or create a new one) with that one token? Yes, we can.

Will that prevent impersionation? No, it won't. Because unless the whole session is encrypted then someone looking over your connection could easily capture the token and still impersonate you.

Yes, I am thinking of a solution, no it won't be something like "or, turn on SSL it's all fixed now".




Please support Geekzone by subscribing, or using one of our referral links: Samsung | AliExpress | Wise | Sharesies | Hatch | GoodSyncBackblaze backup


Filterer
489 posts

Ultimate Geek


  #292861 25-Jan-2010 13:17
Send private message

freitasm: Will that prevent impersionation? No, it won't. Because unless the whole session is encrypted then someone looking over your connection could easily capture the token and still impersonate you.


Heard of cookies? Thats exactly what it is supposed to prevent (putting session data in the url etc)
Putting the password or any sensitive data in the url makes it show up in web history which is very very bad in all security books.... (even over ssl)




pɐǝɥ sıɥ uo ƃuıpuɐʇs

Ragnor
8219 posts

Uber Geek

Trusted

  #292870 25-Jan-2010 13:51
Send private message

@freitasm password in the url is worse than only in a cookie because cookies are only sent to the domain they are for by the browser.

3rd party pages/sites/severs can potentially read browsing history including visited urls via various methods (javascript, activex, flash, referrer etc).


freitasm
BDFL - Memuneh
79254 posts

Uber Geek

Administrator
ID Verified
Trusted
Geekzone
Lifetime subscriber

  #292878 25-Jan-2010 14:16
Send private message

Ragnor, point take. I will modify this later today when back home - remember it's a Wellington holiday here...




Please support Geekzone by subscribing, or using one of our referral links: Samsung | AliExpress | Wise | Sharesies | Hatch | GoodSyncBackblaze backup


 1 | 2
View this topic in a long page with up to 500 replies per page Create new topic





News and reviews »

Air New Zealand Starts AI adoption with OpenAI
Posted 24-Jul-2025 16:00


eero Pro 7 Review
Posted 23-Jul-2025 12:07


BeeStation Plus Review
Posted 21-Jul-2025 14:21


eero Unveils New Wi-Fi 7 Products in New Zealand
Posted 21-Jul-2025 00:01


WiZ Introduces HDMI Sync Box and other Light Devices
Posted 20-Jul-2025 17:32


RedShield Enhances DDoS and Bot Attack Protection
Posted 20-Jul-2025 17:26


Seagate Ships 30TB Drives
Posted 17-Jul-2025 11:24


Oclean AirPump A10 Water Flosser Review
Posted 13-Jul-2025 11:05


Samsung Galaxy Z Fold7: Raising the Bar for Smartphones
Posted 10-Jul-2025 02:01


Samsung Galaxy Z Flip7 Brings New Edge-To-Edge FlexWindow
Posted 10-Jul-2025 02:01


Epson Launches New AM-C550Z WorkForce Enterprise printer
Posted 9-Jul-2025 18:22


Samsung Releases Smart Monitor M9
Posted 9-Jul-2025 17:46


Nearly Half of Older Kiwis Still Write their Passwords on Paper
Posted 9-Jul-2025 08:42


D-Link 4G+ Cat6 Wi-Fi 6 DWR-933M Mobile Hotspot Review
Posted 1-Jul-2025 11:34


Oppo A5 Series Launches With New Levels of Durability
Posted 30-Jun-2025 10:15









Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.