Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.
ForumsGeekzoneGeekzone passwords in plain text


167 posts

Master Geek


Topic # 56813 24-Jan-2010 21:56
Send private message

I dont know what the deal is but occasionally I see my password in plain text in my url bar, surely displaying this isnt the best or most secure practice for a website of geeks.


See below, it mainly happens when I go to GeekZone for the first time in a while, some sort of redirect takes place putting my user name and password up for whoever happens to be on my computer or glancing over my shoulder.


http://www.geekzone.co.nz/login.asp?submit=login&user_name=patznz&password=XXXXXX&ret_page=%2Fdefault%2Easp%3F


Just a FYI in any case.


Cheers.

View this topic in a long page with up to 500 replies per page Create new topic
 1 | 2
939 posts

Ultimate Geek
+1 received by user: 16

Trusted

  Reply # 292761 24-Jan-2010 22:15
Send private message

Old news :-P




munchkin | Troll | Author | Artist | Citizen | Friend | Misanthrope

Join us in the Geekzone IRC channel!

 


All information contained in posts made by me shall be treated as PotatoZoo's own personal opinion unless otherwise specified.

 

1598 posts

Uber Geek
Inactive user


  Reply # 292767 24-Jan-2010 22:24
Send private message

Why dont they fix it then, they've clearly had more than enough time?
I emailed them about this months ago, and never heard anything back!

4288 posts

Uber Geek
+1 received by user: 82

Moderator
Trusted
Lifetime subscriber

  Reply # 292770 24-Jan-2010 22:27
Send private message

What is the problem here? It is only on your address bar, for a few seconds. And I doubt 99% of people looking over your shoulder will firstly see it, note it down, and then use it.

I would hope that you do not use your password for geekzone, as your same one for internet banking etc.



167 posts

Master Geek


  Reply # 292777 24-Jan-2010 22:41
Send private message

No I don't and thats besides the point, but seriously its given in plain text as an argument even when you log on. Might aswell set it to 123abc or qwerty.

6328 posts

Uber Geek
+1 received by user: 391

Moderator
Trusted
Lifetime subscriber

  Reply # 292782 24-Jan-2010 23:03
Send private message

patznz: No I don't and thats besides the point, but seriously its given in plain text as an argument even when you log on. Might aswell set it to 123abc or qwerty.


The page is only loaded when you click login, so unless someone already knows your password, they are not going to be able to access your account.

Even if the login system was changed from GET to POST, your username/password are still going to be sent unencrypted to the Geekzone server, which can be intercepted in transit.  Then the argument comes up of using SSL (similar to banks) to prevent this.

Seriously, if someone did get into your account, what's the worst they can do?

BDFL - Memuneh
61314 posts

Uber Geek
+1 received by user: 12060

Administrator
Trusted
Geekzone
Lifetime subscriber

  Reply # 292786 24-Jan-2010 23:10
Send private message

codyc1515: Why dont they fix it then, they've clearly had more than enough time?
I emailed them about this months ago, and never heard anything back!



I reply to all emails, and I didn't receive anything.



As for the URL you see, it looks like you bookmarked the login page - check that. It shouldn't "show" on your browser as it is a redirect - unless you bookmark that specific URL.



Search for a recent (last week) discussion called "IP Addresses" and read through it. In short, your password is hashed in our database. It's only unencrypted when doing a submit to our server. The worst thing it could happen is someone use your password to log into another service.



Being a geek I am sure you use a different password for each different service, right?



But, yes, read that discussion.




Backblaze cloud backup (personal and business) | Geekzone broadband switch | Amazon (Geekzone aff) | MightyApe (Geekzone aff)

 

My technology disclosure  | Business Transformation | Enterprise Content Management | Customer Relationship Management

 

 

637 posts

Ultimate Geek
+1 received by user: 2

Trusted

  Reply # 292790 24-Jan-2010 23:20
Send private message

rscole86: What is the problem here? It is only on your address bar, for a few seconds. And I doubt 99% of people looking over your shoulder will firstly see it, note it down, and then use it.

I would hope that you do not use your password for geekzone, as your same one for internet banking etc.

There's also a fairly high possibility of it being logged by any proxies or caches in your HTTP path.  If you're browsing over WiFi, the password is also visible to all on that WiFi network.

I am surprised SSL is not used for transmitting credentials - it really is best practice.

6328 posts

Uber Geek
+1 received by user: 391

Moderator
Trusted
Lifetime subscriber

  Reply # 292791 24-Jan-2010 23:44
Send private message

PenultimateHop: I am surprised SSL is not used for transmitting credentials - it really is best practice.


Alittle overkill don't you think for just forums?

918 posts

Ultimate Geek
+1 received by user: 224

Subscriber

  Reply # 292793 24-Jan-2010 23:45
Send private message

PenultimateHop:
There's also a fairly high possibility of it being logged by any proxies or caches in your HTTP path.  If you're browsing over WiFi, the password is also visible to all on that WiFi network.

I am surprised SSL is not used for transmitting credentials - it really is best practice.


For people who login at their work that's a valid point, depends on the web filter/monitor that the IT department run the URL could show up on the list, having the password show up in the URL is less than ideal. But for public wifi I think it's really up to the user to keep themselves safe, browse through an SSL proxy.

Having every site use SSL for posting data isn't an option as it would then mean that every website would require a unique IP address to be able to support it, the world would run out of IP addresses quicker than it already is.

637 posts

Ultimate Geek
+1 received by user: 2

Trusted

  Reply # 292808 25-Jan-2010 06:25
Send private message

nate: Alittle overkill don't you think for just forums?

Not in the slightest.  Security is a serious consideration; and anything but best practices encourages complacency.  There are mechanisms out there to permit secure transactions across the Internet, and their usage should be encouraged.

meesham: For people who login at their work that's a valid point, depends on the web filter/monitor that the IT department run the URL could show up on the list, having the password show up in the URL is less than ideal. But for public wifi I think it's really up to the user to keep themselves safe, browse through an SSL proxy.

While I agree that people using public wifi should be keeping themselves safe, again it encourages complacency especially when you could reasonably assume that a technology focused site would be following best practices for securing data.  Of course, you can also reasonably argue that a technology savvy user would be keeping themselves secure or be aware of the risks involved, but frankly if a hammer is available why would you use a spoon?

meesham: Having every site use SSL for posting data isn't an option as it would then mean that every website would require a unique IP address to be able to support it, the world would run out of IP addresses quicker than it already is.

That is a poor excuse and very much a red herring.  SNI (RFC3546) works around that problem, as does using multiple ports for separate SSL virtual hosts, as does having a single generic SSL site for multiple other sites.  Additionally a site like Geekzone is already running on its own IP address.

IPv4 depletion is a real problem, but it is not an excuse for avoiding SSL.

192 posts

Master Geek


  Reply # 292822 25-Jan-2010 08:57
Send private message

It doesn't bother me to much either way but you make an excellent point PenultimateHop.

BDFL - Memuneh
61314 posts

Uber Geek
+1 received by user: 12060

Administrator
Trusted
Geekzone
Lifetime subscriber

Reply # 292834 25-Jan-2010 10:20
Send private message

Have you guys read the other discussion as suggested? There are ways around it - we have a SSL cert on Geekzone for about three years now. Can we submit to a SSL login, save a token to the database, return it to the non-SSL session already in progress (or create a new one) with that one token? Yes, we can.

Will that prevent impersionation? No, it won't. Because unless the whole session is encrypted then someone looking over your connection could easily capture the token and still impersonate you.

Yes, I am thinking of a solution, no it won't be something like "or, turn on SSL it's all fixed now".




Backblaze cloud backup (personal and business) | Geekzone broadband switch | Amazon (Geekzone aff) | MightyApe (Geekzone aff)

 

My technology disclosure  | Business Transformation | Enterprise Content Management | Customer Relationship Management

 

 

486 posts

Ultimate Geek
+1 received by user: 6


  Reply # 292861 25-Jan-2010 13:17
Send private message

freitasm: Will that prevent impersionation? No, it won't. Because unless the whole session is encrypted then someone looking over your connection could easily capture the token and still impersonate you.


Heard of cookies? Thats exactly what it is supposed to prevent (putting session data in the url etc)
Putting the password or any sensitive data in the url makes it show up in web history which is very very bad in all security books.... (even over ssl)




pɐǝɥ sıɥ uo ƃuıpuɐʇs

8027 posts

Uber Geek
+1 received by user: 387

Trusted
Subscriber

  Reply # 292870 25-Jan-2010 13:51
Send private message

@freitasm password in the url is worse than only in a cookie because cookies are only sent to the domain they are for by the browser.

3rd party pages/sites/severs can potentially read browsing history including visited urls via various methods (javascript, activex, flash, referrer etc).

BDFL - Memuneh
61314 posts

Uber Geek
+1 received by user: 12060

Administrator
Trusted
Geekzone
Lifetime subscriber

  Reply # 292878 25-Jan-2010 14:16
Send private message

Ragnor, point take. I will modify this later today when back home - remember it's a Wellington holiday here...




Backblaze cloud backup (personal and business) | Geekzone broadband switch | Amazon (Geekzone aff) | MightyApe (Geekzone aff)

 

My technology disclosure  | Business Transformation | Enterprise Content Management | Customer Relationship Management

 

 

 1 | 2
View this topic in a long page with up to 500 replies per page Create new topic

Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Updates »

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.